Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0058 A vulnerability has been identified in OSSEC 15 June 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OSSEC Operating System: Virtualisation UNIX variants (UNIX, Linux, OSX) Impact/Access: Root Compromise -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-3222 Member content until: Wednesday, July 15 2015 OVERVIEW A vulnerability has been identified in OSSEC prior to version 2.8.2. [1] IMPACT The vendor has provided the following details regarding the vulnerability: "The CVE-2015-3222 vulnerability, which allows for root escalation via sys check has been fixed in OSSEC 2.8.2. This issue does not affect agents. [1] "Beginning is OSSEC 2.7 (d88cf1c) a feature was added to syscheck, which is the daemon that monitors file changes on a system, called report_changes. This feature is only available on *NIX systems. It's purpose is to help determine what about a file has changed." [2] "The raw filename is passed in as an argument which presents an attacker with the possibility to run arbitrary code. Since the syscheck daemon runs as the root user so it can inspect any file on the system for changes, any code run using this vulnerability will also be run as the root user." [2] "Again, this vulnerability exists only on *NIX systems and is contingent on the following criteria: A vulnerable version is in use. The OSSEC agent is configured to use syscheck to monitor the file system for changes. The list of directories monitored by syscheck includes those writable by underprivileged users. The report_changes option is enabled for any of those directories." [2] MITIGATION The vendor advises users OSSEC 2.8.2 is available for download.[3] REFERENCES [1] security/ossec-hids -- root escalation via syscheck feature http://www.vuxml.org/freebsd/c470db07-1098-11e5-b6a8-002590263bf5.html [2] Fix for CVE-2015-3222 which allows for root escalation via syscheck https://github.com/ossec/ossec-hids/releases/tag/2.8.2 [3] CVE-2015-3222 Vulnerability Fixed in OSSEC 2.8.2 http://www.ossec.net/?p=1198 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVX5t+n6ZAP0PgtI9AQK+DRAAiTcjKa2HYB2ijVbboc38qI245HGi7q06 V5hlxGXc5c6Thj50acGF0E5TcElGuHL2pY5rH3p8mXAz0TPF9BJu2UYYNJRg9Q9n EG6R0VMYgcY+pUEYGfdbwM7B7ohI7jsQoDU7mJQ4sxHuu+aTYTRX7yNwZbU7Pvbt RLzHNIgpHv/i7qgfp9m/wIrbtDwu/lG6yDeF4XhxPLn7UpVbHx4QM6/naKzrDgjk IqEzL/e3Oof9wAj2Lc14AgPhvstjTygXRhudVo1wvNONO0wGnlPSlxlDZRptuZv3 cbQcZX4kt7FsCs/Sroh+dTy0iuEzI/sqhBpvzvDXV0FMz6AjKgkOSSEBE0aONvF0 564GZHbY+UwUgWnk0m6sfwJfliazH1jBJej//P15yL3T+Y7NDcdSH8kAeag+3QhS b83QYvGVjTdE4R3N4kT/oRUV7n78AaEyW/+ozGF9+BsnFssNnPf5OOoRjmQ1YzIu MIUZKHm9BWfiUbmQeuCMtHX3vG7V0cofpoK5vlerKxw8mlPybplGCJIMMYEf6rQX NELrjqYqFr9RSANUE1Kkc7EaCAOh8qfNR/4BP1wOh6l8H5JyRgAsbj0gnkO9irnW qD5HS4WjwAX9RgoIgV6Lxa0lEdttJAlBDReZfqeqHwI5zCJ5X4Mc0mYWs5qLax10 hNm334kkTYs= =EEU8 -----END PGP SIGNATURE-----