Skip to content

OSSEC-HIDS Security Audit Findings #1821

Closed
@cpu

Description

@cpu

Hi folks,

I spent some free time recently auditing OSSEC. I was primarily focused on a threat model where an OSSEC agent is compromised (e.g. the agent key and assoc. counters are known) and used to attack the OSSEC server (primarily ossec-remoted and ossec-analysisd). Given the problem domain of OSSEC and HIDS generally I think this is fair game. Since these are post-auth bugs and there isn't guidance on vulnerability disclosure in the README I thought it was acceptable to post information full-disclosure to the repo.

I found a handful of bugs and have done my best to address the root cause, the affected versions, the impact and potential fixes in the issues I've filed. I will request CVEs for the security relevant bugs later on.

In terms of rough risk levels I'd categorize the findings as follows:

Informational:

Low:

Med:

High:

Some caveats/context to add:

  1. I'm not a professional C coder, w.r.t suggested fixes YMMV!
  2. I don't write exploits for a living. My assessments of exploitability/risk should be considered lower bounds.
  3. This wasn't an extensive audit. I followed my nose and used some fuzzing.
  4. OSSEC 2.7 seems to be the earliest tag in the Github repo. I didn't dig deeper into history to see if any of these bugs affect older releases (some likely do).

If you would be interested in trying to adopt fuzzing as part of your CI (or as an integration with oss-fuzz, etc) I'd be happy to try and provide some notes but likely don't have the resources to implement it myself to a merge-able standard of work.

Thanks! You can close this top-level issue as you see appropriate.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions