Looking for documentation? Check out our new learning center!
AlienVault v4.5 Released! Download here

Looking for confirmation of security issue: MITM might execute arbitrary code on OSSIM during update

Did not find e-mail address via search for "security contact" in google or these forums, "report bug" is also unanswered, so I guess this should go here:

I'm using OSSIM 4 (standard iso download) and used alienvault-update (see http://alienvault.com/docs/3.0_release_notes.txt) for updating the machine.

Due to unknown reason (MITM or just release signing/mirror problem), the install packages could not be authenticated. alienvault-update just continued, so if this was MITM I'm doomed.

Can someone reproduce this issue? Is just my installation broken?

Reproduce could be using "apt-key list" and "apt-key remove" when regular updates are available (Make backup of keys before). Otherwise I'll try again when updates are available again.

I observed update to continue with following warning:

WARNING: The following packages cannot be authenticated!
  ossim-agent ossim-database-migration alienvault-directives-free
  alienvault-crosscorrelation-free ossim-server ossim-contrib ossim-utils
  snort-rules-default ossim-repo-key ossim-cd-configs ossim-cd-tools
  ossim-geoip alienvault-dummy-sensor ossim-framework-daemon ossim-compliance
  ossim-framework ossim-mysql alienvault-dummy-database ossim-downloads
  alienvault-dummy-framework alienvault-idm alienvault-dummy-server
  ossim-menu-setup ossim-osvdb

Comments

  • Thanks for your report.

    That message is normal now but we are working to not display.

    Regards.
  • RomanRoman UFO Spotter
    Even if you suppress the message: could you explain, how it was generated in the first place? If it is really caused by missing key checks, suppressing the message will not suppress the attack.
  • RomanRoman UFO Spotter
    Today I run the test as proposed in my initial post. When removing all keys, "alienvault-update" reports numerous warnings but does not ask user for input. Hence it installs anything that comes via net, no signature checks in place on my machine.
  • k_izdebskik_izdebski Abducted By Aliens
    @Roman: FYI, I have reported this issue about year ago.
    imolleda said:
    Thanks for your report.

    That message is normal now but we are working to not display.

    Regards.
    Maybe it would be better to just start signing alienvault packages, and distribute keys properly? It is sad, that system that is designed to secure network is itself using unsecure methods of updating itself, especially it is not so hard.
  • RomanRoman UFO Spotter
    Signing the packages won't help since alienvault-update ignores those signatures. By signing, you get rid of the warning, but a MITM-attacker will still be able to install arbitrary unsigned packages.

    Still using an own debian mirror/repository (with signature checks) might be of help, attacker has to get hold of you traffic between repository and OSSIM (which is usually site-local and short-distance) instead of your path from OSSIM to any of the deb repositories in default configuration.
  • iamfromitiamfromit Taken Aboard the Mothership
    @k_izdebski, @Roman, thanks for reporting the issue to AV.

    @imolleda,i f AV's solution is to ignore the signature check, it would make any MITM completely feasible. If they instead sign all of their packages, install the public key on the client as well as provide it in a trusted place on the web, it would help to make trusted package distribution possible for those who take the care to verify packages forcefully.

    Packages should be hashed/signed by the maintainer/provider for verification purposes as well as just sound package management. A lot of people might have to download these packages over sketchy links, but as well a lot of people just want to be sure the package they got is what you intended them to get. They're trusting the package provider, not necessarily their DNS provider, ISP or the name of the package the client downloads.
  • rdelafuenterdelafuente Alien
    edited November 2012
    @k_izdebski, @Roman, thank you for reporting this issue.

    We have already implemented package signing and it will be available in an upcoming release.

    Cheers!
  • which release will it be available in and approximately when will it be released?
  • This appears to be an important issue.  Any idea as to which release it will be available and when it will be released?
Sign In or Register to comment.