最后更新于2019年5月10日(星期五)17:03:39 GMT
Summary
版本2之前的Logentries Windows Agent.6.0.1 shipped with a version of OpenSSL that is susceptible to several public vulnerabilities described below.
While we have no indication that any Logentries customers have been compromised due to these older versions of OpenSSL, we strongly encourage Logentries customers to update Agents deployed to Windows systems using the steps outlined under “修复” below.
Since the previously shipped version of OpenSSL was susceptible to several categories of vulnerabilities, this issue is classified as CWE-937 (Using Components with Known Vulnerabilities).
If you have any questions about this issue, please reach out to support@logentries.com.
更新- 2017/08/04
Scan coverage to detect vulnerable versions of the Logentries Windows Agent was added to InsightVM in the 6.4.48更新 2017年7月26日. InsightVM customers can use this to verify that all their Logentries Agents are patched.
Credit
热烈感谢 达斯汀的心 向我们报告这个漏洞, as well as providing information throughout the investigation to help us resolve the issue quickly.
我受影响了吗??
2之前的所有版本.6.0.Windows代理是易受攻击的.
Logentries Agents on Linux and OS X are not vulnerable, as they use the version of OpenSSL present on the assets on which they are installed.
漏洞细节
The Logentries Windows Agent uses the OpenSSL library as part of its communication with the Logentries servers. Before v2.6.0.1、Logentries Windows Agent使用OpenSSL v1.0.1e是 易受一些问题的影响. The vast majority are Denial of Service type vulnerabilities, but there are a small number that have the potential to allow remote code execution and information disclosure by an attacker in a privileged position on the network.
One notable information disclosure issue that this version is vulnerable to is CVE-2014-0160(又名“心脏出血”). While Heartbleed can be a big issue in some attack scenarios, 在这种情况下, the risk is relatively low as any information that could be accessed would be log data limited to the affected asset. 默认情况下, the Logentries Windows Agent will follow Application, Security, 和Windows系统日志, 还有一个硬件统计日志. Users can additionally follow logs related to Internet Explorer, 密钥管理, 媒体中心, PowerShell, 和硬件事件.
These should not include critically sensitive information such as credentials, 个人身份信息(PII), 或者知识产权, but may include sensitive environment and user information. If your Logentries Windows Agent is configured to follow application logs, there is a possibility of more sensitive information being exposed.
除了, triggering an information leak from memory is reasonably complicated as it requires the Agent to connect to a malicious server. 这可以通过,例如,a 中间人(MITM) scenario, privileged access to the asset running the Agent (in order to set alternate host entries for the Logentries servers), 或DNS缓存投毒攻击.
The Logentries Windows Agent also failed to correctly validate TLS certificates and would fall back to plaintext HTTP if errors were encountered during HTTPS connections. This is especially problematic during the Agent update process and when setting username and password (only asked when setting up new installations).
The latest version of the Logentries Windows Agent uses the most current version of the OpenSSL 1.0.2 series, v1.0.2l, which fixes all of the vulnerabilities described above. Rapid7还确保了 了解代理 与最新的OpenSSL库一起发布.
修复
Administrators should update all deployed Logentries Windows Agents to v2.6.0.1通过以下步骤:
- Download the latest zip of Logentries Windows Agent here
- 确认您有最新的补丁Windows-Agent.Zip通过以下校验和:
- MD5: 1 c76f076d08c70ac43467e31c1125bda
- SHA256: b2ade2356a52e8dde136a2bb451c56df1cfbd6b5639e1b1b58686d861e6b4887
- 解压缩zip文件
- 运行提取的文件 .以管理员身份登录
- 遵循GUI提示
- Once finished, you can verify the Agent version by clicking the Help tab in the GUI:
Additional documentation for the Logentries Windows Agent is 可以在这里.
披露时间表
- Thu, Jun 15, 2017: 脆弱性 reported to Rapid7
- Fri, Jun 16, 2017: 脆弱性 confirmed by Rapid7
- Wed, Jun 21, 2017: Rapid7 assigned CVE-2017-5245 for this issue
- Thurs, Jul 13, 2017: Patch for Logentries Windows Agents made available
- 2017年7月13日星期四:公开披露
- 2017年7月13日星期四:向MITRE披露
- Tue, Jul 18, 2017: MITRE rejected CVE-2017-5245 assignment for this issue. 不需要新的CVE, as we can instead reference the CVEs that impact the outdated dependency, i.e. 影响OpenSSL v1的.0.在v2之前使用的LogEntries Windows Agent.6.0.1.
