CVE-2022-41572
📋 TL;DR
CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be executed with root privileges, allowing attackers to gain complete control of the server. This affects all EyesOfNetwork installations through version 5.3.11. Attackers with initial access can escalate to root privileges.
💻 Affected Systems
- EyesOfNetwork (EON)
📦 What is this software?
Eyesofnetwork by Eyesofnetwork
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, lateral movement, ransomware deployment, and persistent backdoor installation.
Likely Case
Attackers with initial access (even low-privilege) gain root privileges and establish persistence on the server.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are enforced, though local privilege escalation remains possible.
🎯 Exploit Status
Exploit requires initial access to the system (even as low-privilege user). The privilege escalation mechanism is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.12 or later
Vendor Advisory: https://github.com/EyesOfNetworkCommunity/eonweb/issues/120
Restart Required: Yes
Instructions:
1. Backup your EON configuration and database. 2. Download and install EON version 5.3.12 or later from official repository. 3. Follow the upgrade documentation. 4. Restart all EON services. 5. Verify the fix by checking version and testing privilege escalation.
🔧 Temporary Workarounds
Remove nmap SUID bit
linuxRemove the setuid bit from nmap binary to prevent privilege escalation
sudo chmod u-s $(which nmap)
Restrict nmap execution
linuxRemove execute permissions for non-root users on nmap binary
sudo chmod 750 $(which nmap)
sudo chown root:root $(which nmap)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EON servers from critical systems
- Apply principle of least privilege and monitor for suspicious privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if nmap has SUID bit set and EON version is ≤5.3.11: ls -la $(which nmap) | grep '^...s' && eon --versionCheck Version:
eon --versionVerify Fix Applied:
Verify nmap no longer has SUID bit and EON version is ≥5.3.12: ls -la $(which nmap) | grep -v '^...s' && eon --version📡 Detection & Monitoring
Log Indicators:
- Unexpected nmap execution by non-root users
- Privilege escalation attempts in system logs
- EON user executing commands with sudo or su
Network Indicators:
- Unusual outbound connections from EON server
- Port scans originating from EON server
SIEM Query:
source="syslog" ("nmap" AND "elevated" OR "privilege") OR (process="nmap" AND user!="root")