XSS Vulnerability in Epilog
SUMMARY
Feb 27, 2017
A vulnerability was found by security company Arthrocyber in the Enterprise version of Epilog Snare Unix agent ( CVE Details ). After some internal investigation it was found that this vulnerability also existed in the Snare Enterprise Epilog Agent for Windows, which can trigger the agents to display the Cross Site Scripting (XSS) attack from the agent's log configuration screen, if the data was entered into the screen and saved, or a user with root or administrative access changed the epilog.conf or the registry keys to save the JavaScript. The exploit causes the agent to save the log settings using some JavaScript in the section where a normal log file would be entered. The Epilog agent reads the configuration upon opening the log configuration screen and did not correctly escape the details when displayed on the screen.
Impact
This vulnerability does not allow the attacker to gain privileged access to the system the agent is running on and only affects the clients browser system if they happen to be viewing the log configuration screen when the exploit is executed. Because the browser thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with the connection to the agent.
Risk Rating: Low. Access requires the admin password to the agent or root/administrative access to the system to manually change the configuration file or registry keys.
Vulnerable Products
This affects the following Snare Enterprise products:
Snare Enterprise Epilog for Windows
Snare Enterprise Epilog for Unix
Snare OpenSource Agents for Epilog
Countermeasures
Always ensure that the agent has a strong administrative password to prevent unauthorised access and changes to the configuration.
Vulnerable Versions
The following versions of Snare Enterprise agents, and all versions prior to these versions, should be considered vulnerable to this issue:
Snare Enterprise Epilog Agent for Windows v1.8.8
Snare Enterprise Epilog Agent for Unix v1.5.7
All Epilog versions of the listed OpenSource/SnareLite agents, and prior versions, should be considered vulnerable to this issue.
Patched Versions
The following versions of the Snare Enterprise agents resolve the issue:
Snare Enterprise Epilog Agent for Windows v1.8.9
Snare Enterprise Epilog Agent for Unix v1.5.8
There is no schedule for fixes to the OpenSource/SnareLite agents at this time.