Snare Agents Advisory – Windows exploit
SUMMARY
Feb 19, 2016
A vulnerability was found by Aaron Lesmeister of HALOCK Security Labs in the OpenSource Snare for Windows agent. After some internal investigation it was found that this vulnerability, also existed in the Snare Enterprise Agent for Windows, which can trigger the agents to display the Cross Site Scripting ( XSS) attack from the agents latest events screen. The exploit uses smbclient from a Unix machine to generate a false userid that contains JavaScript and does not require any authentication to generate this event. Windows uses this JavaScript in the event logging system and attaches it to the event as the userid. The Snare for Windows agent reads the event and did not correctly escape the userid from the event when it was displayed on the latest events screen. As a precaution the SQL agent has also been updated to prevent any display of malicious data from being injected into the SQL trace file system logs. Currently there was no evidence that the SQL Server environment can have the JavaScript injected into the trace log system.
Impact
This vulnerability does not allow the attacker to gain privileged access to the system the agent is running on and only affects the clients browser system if they happen to be viewing the latest events screen when the exploit is executed. Because the browser thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with the connection to the agent.
Vulnerable Products
This affects the following the Snare Enterprise products:
Snare Enterprise Agent for Windows
Snare Enterprise Agent for MSSQL
Snare OpenSource Agents for Windows
Countermeasures
Disabling the remote control interface (GUI) will block this issue. Note that disabling the remote control interface will also disable the ability of the agent management console, to manage the affected agent.
Vulnerable Versions
The following versions of Snare Enterprise agents, and all versions prior to these versions, should be considered vulnerable to this issue:
Snare Enterprise Agent for Windows v4.3.3
Snare Enterprise Agent for MSSQL v1.4.4
All versions of the listed OpenSource/SnareLite agents, and prior versions, should be considered vulnerable to this issue:
Snare OpenSource Agent for Windows v4.0.2.0
Patched Versions
The following versions of the Snare Enterprise agents have been patched, dated 19th February 2016, and are no longer vulnerable to this issue:
Snare Enterprise Agent for Windows v4.3.4
Snare Enterprise Agent for MSSQL v1.4.5
There is no schedule for fixes to the OpenSource/SnareLite agents at this time.