AlienVault Tuesday issued patches for its SIEM platforms after a security researcher disclosed several vulnerabilities...
in the products.
Last week, security researcher Peter Lapp detailed the vulnerabilities on Full Disclosure , which included issues with both AlienVault's OSSIM (Open Source Security Information Management) and USM (Unified Security Management) platforms. The primary security flaw allowed users to upload a specially crafted NBE file to the OSSIM/USM user interface and exploit several vulnerabilities, including cross-site scripting (XSS), SQL injections and command execution.
The vulnerabilities require authentication in the platform's UI to be exploited, though admin privileges are not required. AlienVault last week confirmed the vulnerabilities and said they can only be exploited from within the Web UI for the two platforms. The company announced on its forum last week that a patch addressing the vulnerabilities would be issued today.
Lapp told SearchSecurity that while he did not test the cloud version of AlienVault's USM, he believes the vulnerability was the same because it involved the Web interface of the platform. "The only difference that I know of between the two versions is the deployment, not the underlying software," he said, "so it should affect both."
According to Lapp, he notified AlienVault of the vulnerabilities on Jan. 12 of this year, and the company confirmed the issues that same day. He then made a second request for an update from AlienVault in late April and received no response. AlienVault released v.5.0 for the products on April 20 without including fixes for the vulnerabilities.
"The vendor was notified almost five months ago about this vulnerability," Lapp wrote in the disclosure post. "Given that they have not responded to my recent requests for updates, and just released a major version that did not patch these issues, I have decided to release the details."
AlienVault, meanwhile, indicated the delay in addressing the vulnerabilities, which lapsed the traditional 90-day window, was an error on its part. "Unfortunately, a break-down in communication prevented us from responding to Peter Lapp and following our defined process," the company wrote in the forum post. "We have conducted a full review of our process and updated the process to ensure that this does not happen again."
AlienVault didn't specify what the breakdown entailed and could not be reached for further comment.
Lapp told SearchSecurity that following his disclosure of the vulnerabilities, he contacted AlienVault, which told him that v.5.0.1 would address the vulnerabilities and would be released on May 12.
"I was pretty surprised that the issue was taking so long to be fixed, especially since I reported another vulnerability to them not long before that which was fixed fairly quickly," Lapp said. "The previous vulnerability was a little more severe though, so I figured they just didn't give it priority. I was really surprised when 5.0 was released and the vulnerability was still there, which is when I decided to release the details. From what I've been told by AlienVault, it was just a case of something falling through the cracks rather than them intentionally ignoring it."
Lapp said he plans to test the v.5.0.1 update to make sure the vulnerabilities in the SIEM platforms have been addressed.
Find out why Google's Project Zero changes fueled new vulnerability disclosures debate