Summary
A remote command injection vulnerability in capme was discovered by Kevin Breen and James Hall and responsibly disclosed. An updated capme package is available now which resolves this vulnerability. You should install this update as soon as possible.
Thanks
Thanks to Kevin Breen and James Hall for finding this issue and disclosing it responsibly!
Updating
The new package version is as follows:
securityonion-capme - 20121213-0ubuntu0securityonion24precise
This package is now available in our stable repo. Please see the following page for full update instructions:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade
Additional mitigations
Security Onion management interfaces should be on dedicated management networks and/or locked down to only allow connections from known good IP addresses:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall
Timeline
2016/01/12 1:03PM Eastern
Received detailed disclosure from Kevin Breen and James Hall via email.
2016/01/12 1:19PM Eastern
Acknowledged receipt of email.
2016/01/12 1:56PM Eastern
Confirmed issue and began working on fix.
2016/01/12 5:12PM Eastern
Completed fix and started testing.
2016/01/12 9:20PM Eastern
Completed testing and sent fix to Kevin Breen and James Hall for additional testing.
2016/01/13 6:40AM Eastern
Received confirmation from Kevin Breen and James Hall that the fix works as expected and stops all the attacks they had considered.
2016/01/13 7:26AM Eastern
Added fix to securityonion-capme package.
2016/01/13 7:35AM Eastern
Submitted securityonion-capme package to build farm.
2016/01/13 7:51AM Eastern
Package build complete. Initiated copy to stable PPA.
2016/01/13 8:01AM Eastern
Copy to stable PPA complete.
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists
UPDATE 2016/02/02 - Changed "code execution" to "command injection".
