Security issues
This Wednesday, February 5, several vulnerabilities were detected in the EyesOfNetwork solution.
| CVE | Issue | Fix |
|---|---|---|
| CVE-2020-8654 | Discovery module to allows to run arbitrary OS command. We were able to run the ‘id’ command with the following payload in the target field : ;id #’. |
lilac-3.1-2+ |
| CVE-2020-8655 | LPE via nmap NSE script As the apache user is allowed to run nmap as root, we were able to execute arbitrary commands by providing a specially crafted NSE script. |
eonconf-5.3-0 |
| CVE-2020-8656 | SQLi in API in getApiKey function on ‘username’ field PoC: onapi/getApiKey?username=’ union select sleep(3),0,0,0,0,0,0,0 or ‘ |
eonapi-2.0-2+ |
| CVE-2020-8657 | Calculable/guessable API key | eonapi-2.0-2+ |
The association of these vulnerabilities allows an attacker to obtain a shell with root rights on an instance of EON 5.2 and 5.3 without prior information or login.
A patch was released Thursday, February 6, then packaged and is now available on the EyesOfNetwork repositories. [5.2, 5.3].
The patch is applied by executing the following command:
yum update eonapi lilac
** ⚠ Attention ⚠ **: Updating the eonapi package to version> = 2.0-2 will cause the regeneration of the APIKEY of the admin user. The new key should be retrieved and informed in third-party consumer tools API (ex: EyesOfIndicator, …).