search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HP ArcSight SmartConnector fails to properly validate SSL and contains a hard-coded password

Vulnerability Note VU#350508

Original Release Date: 2015-10-27 | Last Revised: 2015-11-03

Overview

The HP ArcSight SmartConnector fails to properly validate SSL certificates, and also contains a hard-coded password.

Description

CWE-295: Improper Certificate Validation - CVE-2015-2902

The ArcSight SmartConnector fails to validate the certificate of the upstream Logger device it is reporting logs to. An eavesdropper can perform a man-in-the-middle attack against log traffic.

CWE-259: Use of Hard-coded Password - CVE-2015-2903

Use of a default password (and no mechanism for changing it) in the CWSAPI SOAP service provided by ArcSight allows an an attacker to gain administrator credentials.

Impact

A remote attacker may be able to utilize a man-in-the-middle attack to read SSL-encrypted log traffic. A remote attacker may use the hard-coded password to gain root access to the device.

Solution

Apply an update

HP has released ArcSight SmartConnector 7.1.6, which addresses these issues. Affected users should update to version 7.1.6 or later as soon as possible.

Vendor Information

350508
 
Affected   Unknown   Unaffected

Hewlett-Packard Company

Notified:  July 08, 2015 Updated:  October 20, 2015

Statement Date:   September 25, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 7.1 AV:A/AC:L/Au:S/C:C/I:C/A:N
Temporal 6.1 E:POC/RL:U/RC:UR
Environmental 4.6 CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Jefferson Ogata for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2902, CVE-2015-2903
Date Public: 2015-10-19
Date First Published: 2015-10-27
Date Last Updated: 2015-11-03 21:18 UTC
Document Revision: 56

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.