shuckins

R7-2017-18: Logentries Windows Agent uses vulnerable OpenSSL (FIXED)

Blog Post created by shuckins Employee on Jul 13, 2017

Summary

The Logentries Windows Agent before version 2.6.0.1 shipped with a version of OpenSSL that is susceptible to several public vulnerabilities described below.

 

While we have no indication that any Logentries customers have been compromised due to these older versions of OpenSSL, we strongly encourage Logentries customers to update Agents deployed to Windows systems using the steps outlined under “Remediation” below. Scan coverage to detect vulnerable versions of the Logentries Windows Agent will be added soon to help customers verify that all their Logentries Agents are patched.

 

Since the previously shipped version of OpenSSL was susceptible to several categories of vulnerabilities, this issue is classified as CWE-937 (Using Components with Known Vulnerabilities).

 

If you have any questions about this issue, please reach out to support@logentries.com.

 

Credit

Rapid7 warmly thanks Dustin Heart for reporting this vulnerability to us, as well as providing information throughout the investigation to help us resolve the issue quickly.

 

Am I affected?

All versions prior to 2.6.0.1 of Logentries Windows Agent are vulnerable.

 

Logentries Agents on Linux and OS X are not vulnerable, as they use the version of OpenSSL present on the assets on which they are installed.

 

Vulnerability Details

The Logentries Windows Agent uses the OpenSSL library as part of its communication with the Logentries servers. Before v2.6.0.1, the Logentries Windows Agent used OpenSSL v1.0.1e, which is vulnerable to a number of issues. The vast majority are Denial of Service type vulnerabilities, but there are a small number that have the potential to allow remote code execution and information disclosure by an attacker in a privileged position on the network.

 

One notable information disclosure issue that this version is vulnerable to is CVE-2014-0160 (AKA “Heartbleed”). While Heartbleed can be a big issue in some attack scenarios, in this case, the risk is relatively low as any information that could be accessed would be log data limited to the affected asset. By default, the Logentries Windows Agent will follow Application, Security, and System Windows logs, and a hardware statistics log. Users can additionally follow logs related to Internet Explorer, Key Management, Media Center, PowerShell, and Hardware Events.

 

These should not include critically sensitive information such as credentials, personally identifiable information (PII), or intellectual property, but may include sensitive environment and user information. If your Logentries Windows Agent is configured to follow application logs, there is a possibility of more sensitive information being exposed.

 

In addition, triggering an information leak from memory is reasonably complicated as it requires the Agent to connect to a malicious server. This could be accomplished by, for example, a man-in-the-middle (MITM) scenario, privileged access to the asset running the Agent (in order to set alternate host entries for the Logentries servers), or DNS cache poisoning attacks.

 

The Logentries Windows Agent also failed to correctly validate TLS certificates and would fall back to plaintext HTTP if errors were encountered during HTTPS connections. This is especially problematic during the Agent update process and when setting username and password (only asked when setting up new installations).

 

The latest version of the Logentries Windows Agent uses the most current version of the OpenSSL 1.0.2 series, v1.0.2l, which fixes all of the vulnerabilities described above. Rapid7 has also ensured that the Insight Agent is shipping with the latest OpenSSL libraries.

 

Remediation

Administrators should update all deployed Logentries Windows Agents to v2.6.0.1 through the following steps:

  • Download the latest zip of Logentries Windows Agent here
  • Verify you have the latest patched Windows-Agent.zip via the following checksums:
    • MD5: 1c76f076d08c70ac43467e31c1125bda
    • SHA256: b2ade2356a52e8dde136a2bb451c56df1cfbd6b5639e1b1b58686d861e6b4887
  • Unzip the zip file
  • Run the extracted .exe file as an Administrator
  • Follow the GUI prompts
  • Once finished, you can verify the Agent version by clicking the Help tab in the GUI:

logentries-windows-agent-version.png

 

Additional documentation for the Logentries Windows Agent is available here.

 

Disclosure Timeline

  • Thu, Jun 15, 2017: Vulnerability reported to Rapid7
  • Fri, Jun 16, 2017: Vulnerability confirmed by Rapid7
  • Wed, Jun 21, 2017: Rapid7 assigned CVE-2017-5245 for this issue
  • Thurs, Jul 13, 2017: Patch for Logentries Windows Agents made available
  • Thurs, Jul 13, 2017: Public disclosure
  • Thurs, Jul 13, 2017: Disclosed to MITRE
  • Tue, Jul 18, 2017: MITRE rejected CVE-2017-5245 assignment for this issue. A new CVE was not necessary, as we can instead reference the CVEs that impact the outdated dependency, i.e. those affecting OpenSSL v1.0.1e used by LogEntries Windows Agent before v2.6.0.1.

Outcomes