CVE-2020-27887
📋 TL;DR
CVE-2020-27887 is an authenticated remote code execution vulnerability in EyesOfNetwork's AutoDiscovery module. An authenticated user with sufficient privileges can execute arbitrary operating system commands via the nmap_binary parameter. This affects EyesOfNetwork installations with vulnerable versions exposed to authenticated users.
💻 Affected Systems
- EyesOfNetwork
📦 What is this software?
Eyesofnetwork by Eyesofnetwork
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands with web server privileges, potentially leading to lateral movement, data exfiltration, or complete system takeover.
Likely Case
Privilege escalation leading to unauthorized access to sensitive network monitoring data and potential further exploitation of the monitoring infrastructure.
If Mitigated
Limited impact if proper authentication controls, privilege separation, and input validation are implemented.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.3-8
Vendor Advisory: https://github.com/EyesOfNetworkCommunity/eonweb/issues/76
Restart Required: Yes
Instructions:
1. Upgrade to EyesOfNetwork version newer than 5.3-8. 2. Apply any available security patches from the vendor. 3. Restart the EyesOfNetwork services.
🔧 Temporary Workarounds
Disable AutoDiscovery module
linuxTemporarily disable the vulnerable AutoDiscovery module to prevent exploitation
mv /usr/share/eyesofnetwork/lilac/autodiscovery.php /usr/share/eyesofnetwork/lilac/autodiscovery.php.disabled
Restrict access to AutoDiscovery
allImplement strict access controls to limit which users can access the AutoDiscovery module
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EyesOfNetwork from critical systems
- Enforce principle of least privilege for all user accounts accessing the EyesOfNetwork interface
🔍 How to Verify
Check if Vulnerable:
Check EyesOfNetwork version: cat /etc/eyesofnetwork-release or check web interface version. If version is between 5.3 and 5.3-8 inclusive, system is vulnerable.Check Version:
cat /etc/eyesofnetwork-release 2>/dev/null || grep 'Version' /usr/share/eyesofnetwork/version.txtVerify Fix Applied:
Verify version is newer than 5.3-8 and test that autodiscovery.php no longer accepts arbitrary commands in nmap_binary parameter.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in web server logs for autodiscovery.php
- Suspicious nmap_binary parameter values containing shell metacharacters
Network Indicators:
- Unusual outbound connections from EyesOfNetwork server following autodiscovery.php requests
SIEM Query:
source="apache_access.log" AND uri="/lilac/autodiscovery.php" AND (param="nmap_binary" AND value CONTAINS "|" OR value CONTAINS ";" OR value CONTAINS "`" OR value CONTAINS "$")🔗 References
- http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
- https://github.com/EyesOfNetworkCommunity/eonweb/issues/76
- https://www.eyesofnetwork.com/en
- http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
- https://github.com/EyesOfNetworkCommunity/eonweb/issues/76
- https://www.eyesofnetwork.com/en
