Introduction
Mehmet D. İNCE discovered several vulnerabilities related to Xplico. He identified three different vulnerabilities, two classified as "High severity" and one as "Medium severity". The CVE number assigned for these vulnerabilities is CVE-2017-16666:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16666
We've resolved these issues in a new Xplico package:
xplico - 1.2.0ubuntu1securityonion9
Resolution
To resolve these issues, simply install the new Xplico package according to our normal update instructions:
https://securityonion.net/wiki/Upgrade
Mitigations
Since 2015, our Setup wizard has disabled Xplico by default when choosing the "Best Practices" option:
https://github.com/Security-Onion-Solutions/securityonion-setup/blob/dd9c8e098af3e6bc253570b75b789ff928c10323/debian/patches/streamline-Setup-with-new-defaults-and-add-new-Custom-option
Since March 2016, our Setup wizard locks down the host-based firewall to block remote connections to Xplico:
http://blog.securityonion.net/2016/03/securityonion-setup-20120912.html
Additionally, we recently made some changes to make it easier to totally remove the Xplico package from your system:
http://blog.securityonion.net/2017/11/securityonion-nsmnow-admin-scripts.html
http://blog.securityonion.net/2017/11/securityonion-iso-20151016.html
http://blog.securityonion.net/2017/11/securityonion-setup-20120912.html
Future Security Onion ISO images will no longer include Xplico.
Thanks
Special thanks to Mehmet İNCE for responsibly disclosing this security issue per our Security page:
https://securityonion.net/security
Special thanks to Gianluca Costa for patching these issues so quickly!
Timeline
All times below are in Eastern time.
11/8/2017 2:32 AM - Received initial notification from Mehmet İNCE.
11/8/2017 6:30 AM - Confirmed receipt of email and confirmed issue.
11/8/2017 6:39 AM - Notified Gianluca Costa of Xplico.
11/13/2017 2:36 AM - Received patches from Gianluca Costa.
11/13/2017 8:56 AM - Built new Xplico package and sent to Mehmet İNCE for review.
11/13/2017 9:04 AM - Received confirmation from Mehmet İNCE.
11/13/2017 9:09 AM - Sent email to coordinate disclosure.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.