Operating System:

[UNIX/Linux][Virtual]

Published:

15 June 2015

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ASB-2015.0058 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2015.0058
               A vulnerability has been identified in OSSEC
                               15 June 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              OSSEC
Operating System:     Virtualisation
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Root Compromise -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2015-3222  
Member content until: Wednesday, July 15 2015

OVERVIEW

        A vulnerability has been identified in OSSEC prior to version 2.8.2.
        [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerability:
        
        "The CVE-2015-3222 vulnerability, which allows for root escalation 
        via sys check has been fixed in OSSEC 2.8.2. This issue does not 
        affect agents. [1]
        
        "Beginning is OSSEC 2.7 (d88cf1c) a feature was added to syscheck, 
        which is the daemon that monitors file changes on a system, called 
        report_changes. This feature is only available on *NIX systems. It's
        purpose is to help determine what about a file has changed." [2]
        
        "The raw filename is passed in as an argument which presents an 
        attacker with the possibility to run arbitrary code. Since the 
        syscheck daemon runs as the root user so it can inspect any file on
        the system for changes, any code run using this vulnerability will 
        also be run as the root user." [2]
        
        "Again, this vulnerability exists only on *NIX systems and is 
        contingent on the following criteria:
        
        A vulnerable version is in use. The OSSEC agent is configured to use
        syscheck to monitor the file system for changes. The list of 
        directories monitored by syscheck includes those writable by 
        underprivileged users. The report_changes option is enabled for any
        of those directories." [2]


MITIGATION

        The vendor advises users OSSEC 2.8.2 is available for download.[3]


REFERENCES

        [1] security/ossec-hids -- root escalation via syscheck feature
            http://www.vuxml.org/freebsd/c470db07-1098-11e5-b6a8-002590263bf5.html

        [2] Fix for CVE-2015-3222 which allows for root escalation via syscheck
            https://github.com/ossec/ossec-hids/releases/tag/2.8.2

        [3] CVE-2015-3222 Vulnerability Fixed in OSSEC 2.8.2
            http://www.ossec.net/?p=1198

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVX5t+n6ZAP0PgtI9AQK+DRAAiTcjKa2HYB2ijVbboc38qI245HGi7q06
V5hlxGXc5c6Thj50acGF0E5TcElGuHL2pY5rH3p8mXAz0TPF9BJu2UYYNJRg9Q9n
EG6R0VMYgcY+pUEYGfdbwM7B7ohI7jsQoDU7mJQ4sxHuu+aTYTRX7yNwZbU7Pvbt
RLzHNIgpHv/i7qgfp9m/wIrbtDwu/lG6yDeF4XhxPLn7UpVbHx4QM6/naKzrDgjk
IqEzL/e3Oof9wAj2Lc14AgPhvstjTygXRhudVo1wvNONO0wGnlPSlxlDZRptuZv3
cbQcZX4kt7FsCs/Sroh+dTy0iuEzI/sqhBpvzvDXV0FMz6AjKgkOSSEBE0aONvF0
564GZHbY+UwUgWnk0m6sfwJfliazH1jBJej//P15yL3T+Y7NDcdSH8kAeag+3QhS
b83QYvGVjTdE4R3N4kT/oRUV7n78AaEyW/+ozGF9+BsnFssNnPf5OOoRjmQ1YzIu
MIUZKHm9BWfiUbmQeuCMtHX3vG7V0cofpoK5vlerKxw8mlPybplGCJIMMYEf6rQX
NELrjqYqFr9RSANUE1Kkc7EaCAOh8qfNR/4BP1wOh6l8H5JyRgAsbj0gnkO9irnW
qD5HS4WjwAX9RgoIgV6Lxa0lEdttJAlBDReZfqeqHwI5zCJ5X4Mc0mYWs5qLax10
hNm334kkTYs=
=EEU8
-----END PGP SIGNATURE-----