Executive Summary

Summary
Title HP ArcSight Logger contains multiple vulnerabilities
Informations
Name VU#842252 First vendor Publication 2015-10-19
Vendor VU-CERT Last vendor Modification 2015-10-26
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#842252

HP ArcSight Logger contains multiple vulnerabilities

Original Release date: 19 Oct 2015 | Last revised: 26 Oct 2015

Overview

HP ArcSight Logger contains multiple vulnerabilities, allowing authentication bypass and privilege escalation in certain scenarios.

Description

CWE-285: Improper Authorization - CVE-2015-2136

A remote authenticated user without Logger Search permissions may be able to bypass authorization and perform searches via the SOAP interface.

According to the reporter, ArcSight Logger 6.0.0.7307.1 is affected, and other versions may also be affected.

CWE-307: Improper Restriction of Excessive Authentication Attempts -CVE-2015-6029

Incorrect login attempts via the SOAP interface are not logged or locked out, as they are through the standard web GUI. This may allow a remote unauthenticated attacker to attempt brute force password guesses without triggering an alert.

According to the reporter, ArcSight Logger 6.0.0.7307.1 is affected, and other versions may also be affected.

CWE-653: Insufficient Compartmentalization - CVE-2015-6030

Several key files for ArcSight are owned by the arcsight user, but are executed with root privileges. This may allow a user with arcsight credentials to escalate privileges to root when running commands.

According to the reporter, ArcSight Logger 6.0.0.7307.1, ArcSight Command Center 6.8.0.1896.0, and ArcSight Connector Appliance 6.4.0.6881.3 are affected. Other versions may also be affected. ArcSight SmartConnector for UNIX-like systems may also be affected.

The CVSS score below is based on CVE-2015-2136. While the Insufficient Compartmentalization issue could potentially be serious, the arcsight user credentials appear to only be known by system administrators in practice, greatly lessening the severity of this vulnerability. Future evidence of an alternate way to obtain arcsight credentials may change this impact.

Impact

An authenticated remote user without ArcSight Logger search privileges may be able to perform Logger searches. An unauthenticated remote user may be able to brute force guess a password without triggering any alerts. A user with arcsight credentials may be able to execute commands with the privileges of root.

Solution

Apply an update

HP has released HP ArcSight Logger v6.0 P2 addressing CVE-2015-2136 and CVE-2015-6029. Affected users are recommended to update as soon as possible to ArcSight Logger v6.0 P2, or a subsequent release. HP has also released a Security Bulletin regarding CVE-2015-6029.

HP has begun to roll out updates addressing the remaining issues on all supported platforms, and expects to have all updates available by the end of October. In the meantime, consider the following workarounds:

Restrict access to the system and network

Restrict access to the arcsight user account. Network monitoring may help detect brute force password attempts.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Hewlett-Packard CompanyAffected20 Jul 201508 Sep 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base4.0AV:N/AC:L/Au:S/C:P/I:N/A:N
Temporal3.1E:POC/RL:OF/RC:C
Environmental2.3CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04762372
  • https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04863612
  • http://cwe.mitre.org/data/definitions/285.html
  • http://cwe.mitre.org/data/definitions/307.html
  • http://cwe.mitre.org/data/definitions/653.html

Credit

Thanks to Hubert Mach and Julian Horoszkiewicz for reporting these issues to us.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2015-2136CVE-2015-6029CVE-2015-6030
  • Date Public:19 Oct 2015
  • Date First Published:19 Oct 2015
  • Date Last Updated:26 Oct 2015
  • Document Revision:52

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/842252

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-264 Permissions, Privileges, and Access Controls
33 % CWE-254 Security Features
33 % CWE-200 Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 2
Application 3
Application 1
Application 2
Hardware 3

Information Assurance Vulnerability Management (IAVM)

Date Description
2015-09-17 IAVM : 2015-A-0220 - HP ArcSight Logger Authorization Bypass Vulnerability
Severity : Category I - VMSKEY : V0061405

Nessus® Vulnerability Scanner

Date Description
2015-09-17 Name : A log collection and management system installed on the remote host is affect...
File : arcsight_logger_6_0_2.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
Date Informations
2015-11-13 13:25:57
  • Multiple Updates
2015-11-05 00:26:23
  • Multiple Updates
2015-11-04 09:27:25
  • Multiple Updates
2015-10-26 09:21:40
  • Multiple Updates
2015-10-21 00:19:28
  • Multiple Updates
2015-10-20 00:22:47
  • First insertion