Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against AWStats "migrate" Shell Command Injection

Subscribe

Check Point Reference: CPAI-2006-053
Date Published:
Severity:
Last Updated:
Source: SANS
Industry Reference(s):

CVE-2006-2236
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
VSX
  • NGX
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
AWStats version 6.5 and prior versions
Vulnerability Description
AWStats is an open source web analystic reporting tool, suitable for analyzing data from internet services. A vulnerability has been identified in AWStats due to improper validation of user input. The vulnerability may be exploited by attackers to execute arbitrary commands.

July 5, 2006
On July 5, t2006 his protection has been updated to include a Worm Catcher pattern against this vulnerability. Check the Solution tab for more information.
Update/Patch Available
Upgrade to AWStats version 6.6 :
http://awstats.sourceforge.net/
Vulnerability Details
The flaw is the result of an input validation error in the "awstats.pl" script that fails to properly validate the "migrate" variable when the "AllowToUpdateStatsFromBrowser" option is enabled. This can be exploited by remote attackers to execute arbitrary shell commands with the privileges of the Web server.

Protection Overview
The Update enables the HTTP Worm Catcher to detect and block the vulnerability based on pa re-defined worm signature.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R61

How Can I Protect My Network?
1. Update SmartDefense: Click the SmartDefense Services tab, click Download Updates and then click the Online Update button.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following patterns:

AWStats migrate Command Injection Vulnerability

4. Install policy on all modules.
 

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: AWStats migrate Command Injection Vulnerability

VPN-1 NGx R60, VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following patterns:

AWStats migrate Command Injection Vulnerability

4. Install policy on all modules.
 

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

ttack Name: HTTP Worm Catcher
Attack Information: AWStats migrate Command Injection Vulnerability

VPN-1 NG with Application Intelligence R55/R54

How Can I Protect My Network?
1. Update SmartDefense by clicking Update Now in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
3. Enable the following patterns:

AWStats migrate Command Injection Vulnerability

4. Install security policy on all modules.
 

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: AWStats migrate Command Injection Vulnerability

VPN-1 VSX NGX

How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following patterns:

AWStats migrate Command Injection Vulnerability

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: AWStats migrate Command Injection Vulnerability

InterSpect NGX

How Can I Protect My Network?
1. Update SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
3. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
4. Enable the following patterns:

AWStats migrate Command Injection Vulnerability

5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: AWStats migrate Command Injection Vulnerability

InterSpect 2.0

How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click Web > General HTTP Worm Defender.
3. Enable the following patterns:

AWStats migrate Command Injection Vulnerability

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: AWStats migrate Command Injection Vulnerability