Monday, November 13, 2017

Security Advisory for Xplico 1.2.0

Introduction
Mehmet D. İNCE discovered several vulnerabilities related to Xplico. He identified three different vulnerabilities, two classified as "High severity" and one as "Medium severity". The CVE number assigned for these vulnerabilities is CVE-2017-16666:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16666

We've resolved these issues in a new Xplico package:
xplico - 1.2.0ubuntu1securityonion9

Resolution
To resolve these issues, simply install the new Xplico package according to our normal update instructions:
https://securityonion.net/wiki/Upgrade

Mitigations
Since 2015, our Setup wizard has disabled Xplico by default when choosing the "Best Practices" option:
https://github.com/Security-Onion-Solutions/securityonion-setup/blob/dd9c8e098af3e6bc253570b75b789ff928c10323/debian/patches/streamline-Setup-with-new-defaults-and-add-new-Custom-option

Since March 2016, our Setup wizard locks down the host-based firewall to block remote connections to Xplico:
http://blog.securityonion.net/2016/03/securityonion-setup-20120912.html

Additionally, we recently made some changes to make it easier to totally remove the Xplico package from your system:
http://blog.securityonion.net/2017/11/securityonion-nsmnow-admin-scripts.html
http://blog.securityonion.net/2017/11/securityonion-iso-20151016.html
http://blog.securityonion.net/2017/11/securityonion-setup-20120912.html

Future Security Onion ISO images will no longer include Xplico.

Thanks
Special thanks to Mehmet İNCE for responsibly disclosing this security issue per our Security page:
https://securityonion.net/security

Special thanks to Gianluca Costa for patching these issues so quickly!

Timeline
All times below are in Eastern time.
11/8/2017 2:32 AM - Received initial notification from Mehmet İNCE.
11/8/2017 6:30 AM - Confirmed receipt of email and confirmed issue.
11/8/2017 6:39 AM - Notified Gianluca Costa of Xplico.
11/13/2017 2:36 AM - Received patches from Gianluca Costa.
11/13/2017 8:56 AM - Built new Xplico package and sent to Mehmet İNCE for review.
11/13/2017 9:04 AM - Received confirmation from Mehmet İNCE.
11/13/2017 9:09 AM - Sent email to coordinate disclosure.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.