Executive Summary

Summary
Title HP ArcSight SmartConnector fails to properly validate SSL and contains a hard-coded password
Informations
Name VU#350508 First vendor Publication 2015-10-27
Vendor VU-CERT Last vendor Modification 2015-11-03
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 6.9 Attack Range Local
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#350508

HP ArcSight SmartConnector fails to properly validate SSL and contains a hard-coded password

Original Release date: 27 Oct 2015 | Last revised: 03 Nov 2015

Overview

The HP ArcSight SmartConnector fails to properly validate SSL certificates, and also contains a hard-coded password.

Description

CWE-295: Improper Certificate Validation - CVE-2015-2902

The ArcSight SmartConnector fails to validate the certificate of the upstream Logger device it is reporting logs to. An eavesdropper can perform a man-in-the-middle attack against log traffic.

CWE-259: Use of Hard-coded Password - CVE-2015-2903

Use of a default password (and no mechanism for changing it) in the CWSAPI SOAP service provided by ArcSight allows an an attacker to gain administrator credentials.

Impact

A remote attacker may be able to utilize a man-in-the-middle attack to read SSL-encrypted log traffic. A remote attacker may use the hard-coded password to gain root access to the device.

Solution

Apply an update

HP has released ArcSight SmartConnector 7.1.6, which addresses these issues. Affected users should update to version 7.1.6 or later as soon as possible.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Hewlett-Packard CompanyAffected08 Jul 201520 Oct 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.1AV:A/AC:L/Au:S/C:C/I:C/A:N
Temporal6.1E:POC/RL:U/RC:UR
Environmental4.6CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04850932
  • http://cwe.mitre.org/data/definitions/259.html
  • http://cwe.mitre.org/data/definitions/295.html

Credit

Thanks to Jefferson Ogata for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2015-2902CVE-2015-2903
  • Date Public:19 Oct 2015
  • Date First Published:27 Oct 2015
  • Date Last Updated:03 Nov 2015
  • Document Revision:56

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/350508

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2015-11-04 21:23:53
  • Multiple Updates
2015-11-04 09:27:24
  • Multiple Updates
2015-11-04 00:21:28
  • Multiple Updates
2015-10-28 00:21:16
  • First insertion