CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
6.0 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, was found in Observium Network Monitor (unknown version). This affects an unknown code block of the file /includes/common.inc.php. The manipulation with an unknown input leads to a privileges management vulnerability (Unserialize). CWE is classifying the issue as CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. This is going to have an impact on confidentiality, integrity, and availability.
The bug was discovered 09/01/2016. The weakness was disclosed 11/10/2016 by Ronald Volgers as [CT-2016-1110] Unauthenticated RCE in Observium network monitor as confirmed mailinglist post (Full-Disclosure). It is possible to read the advisory at seclists.org. The public release has been coordinated in cooperation with Observium. It is possible to initiate the attack remotely. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK. The reason for this vulnerability is this part of code:
function var_decode($string, $method = 'serialize') { $value = base64_decode($string, TRUE); if ($value === FALSE) { // This is not base64 string, return original var return $string; } switch ($method) { case 'json': if ($string === 'bnVsbA==') { return NULL; }; $decoded = @json_decode($value, TRUE); if ($decoded !== NULL) { // JSON encoded string detected return $decoded; } break; default: if ($value === 'b:0;') { return FALSE; }; $decoded = @unserialize($value); if ($decoded !== FALSE) { // Serialized encoded string detected return $decoded; } }
The vulnerability was handled as a non-public zero-day exploit for at least 55 days. During that time the estimated underground price was around $0-$5k. By approaching the search of inurl:includes/common.inc.php it is possible to find vulnerable targets with Google Hacking.
Upgrading eliminates this vulnerability. A possible mitigation has been published before and not just after the disclosure of the vulnerability.
The entries 93568, 93569 and 93570 are pretty similar.
Product
Vendor
Name
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 6.0
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Name: UnserializeClass: Privileges management / Unserialize
CWE: CWE-269 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
Google Hack: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Timeline
09/01/2016 🔍10/21/2016 🔍
10/21/2016 🔍
10/26/2016 🔍
11/10/2016 🔍
11/11/2016 🔍
05/30/2019 🔍
Sources
Advisory: [CT-2016-1110] Unauthenticated RCE in Observium network monitorResearcher: Ronald Volgers
Status: Confirmed
Coordinated: 🔍
See also: 🔍
Entry
Created: 11/11/2016 15:54Updated: 05/30/2019 09:23
Changes: 11/11/2016 15:54 (49), 05/30/2019 09:23 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.