CVE-2018-1000044
📋 TL;DR
This vulnerability allows attackers to execute arbitrary SQL commands via the sensors parameter in the .inc/callback.php file of Squert. It affects Security Onion Solutions Squert versions 1.1.1 through 1.6.7, potentially compromising the entire database and system. Organizations using vulnerable Squert installations for security monitoring are at risk.
💻 Affected Systems
- Security Onion Solutions Squert
📦 What is this software?
Squert by Securityonion
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, and potential remote code execution on the underlying server.
Likely Case
Unauthorized database access allowing attackers to read, modify, or delete security event data, potentially hiding malicious activity from detection.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized. The advisory provides technical details that could be used to create exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0
Vendor Advisory: http://blog.securityonion.net/2018/01/security-advisory-for-squert.html
Restart Required: Yes
Instructions:
1. Backup current Squert configuration and data. 2. Update Security Onion to latest version. 3. Verify Squert version is 1.7.0 or higher. 4. Restart Squert service: sudo so-squert-restart
🔧 Temporary Workarounds
Block access to vulnerable endpoint
linuxTemporarily block web access to .inc/callback.php file
sudo iptables -A INPUT -p tcp --dport 80 -m string --string ".inc/callback.php" --algo bm -j DROP
sudo iptables -A INPUT -p tcp --dport 443 -m string --string ".inc/callback.php" --algo bm -j DROP
Input validation via WAF
allConfigure web application firewall to block SQL injection patterns
# Configure ModSecurity or similar WAF with SQL injection rules
# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1000,phase:2,deny"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Squert from untrusted networks
- Deploy additional monitoring and alerting for suspicious database queries
🔍 How to Verify
Check if Vulnerable:
Check Squert version: grep 'SQUERT_VERSION' /etc/squert/squert.conf or check web interface footerCheck Version:
grep SQUERT_VERSION /etc/squert/squert.conf || echo "Check web interface footer for version"Verify Fix Applied:
Confirm version is 1.7.0 or higher and test callback.php endpoint with SQL injection payloads📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests to .inc/callback.php with SQL-like parameters
- Database error messages containing SQL syntax
Network Indicators:
- HTTP requests to .inc/callback.php with SQL keywords in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_access.log" AND uri="/.inc/callback.php" AND (param="sensors" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "INSERT")