search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HP ArcSight Logger contains multiple vulnerabilities

Vulnerability Note VU#842252

Original Release Date: 2015-10-19 | Last Revised: 2015-10-26

Overview

HP ArcSight Logger contains multiple vulnerabilities, allowing authentication bypass and privilege escalation in certain scenarios.

Description

CWE-285: Improper Authorization - CVE-2015-2136

A remote authenticated user without Logger Search permissions may be able to bypass authorization and perform searches via the SOAP interface.

According to the reporter, ArcSight Logger 6.0.0.7307.1 is affected, and other versions may also be affected.

CWE-307: Improper Restriction of Excessive Authentication Attempts - CVE-2015-6029

Incorrect login attempts via the SOAP interface are not logged or locked out, as they are through the standard web GUI. This may allow a remote unauthenticated attacker to attempt brute force password guesses without triggering an alert.

According to the reporter, ArcSight Logger 6.0.0.7307.1 is affected, and other versions may also be affected.

CWE-653: Insufficient Compartmentalization - CVE-2015-6030

Several key files for ArcSight are owned by the arcsight user, but are executed with root privileges. This may allow a user with arcsight credentials to escalate privileges to root when running commands.

According to the reporter, ArcSight Logger 6.0.0.7307.1, ArcSight Command Center 6.8.0.1896.0, and ArcSight Connector Appliance 6.4.0.6881.3 are affected. Other versions may also be affected. ArcSight SmartConnector for UNIX-like systems may also be affected.

The CVSS score below is based on CVE-2015-2136. While the Insufficient Compartmentalization issue could potentially be serious, the arcsight user credentials appear to only be known by system administrators in practice, greatly lessening the severity of this vulnerability. Future evidence of an alternate way to obtain arcsight credentials may change this impact.

Impact

An authenticated remote user without ArcSight Logger search privileges may be able to perform Logger searches. An unauthenticated remote user may be able to brute force guess a password without triggering any alerts. A user with arcsight credentials may be able to execute commands with the privileges of root.

Solution

Apply an update

HP has released HP ArcSight Logger v6.0 P2 addressing CVE-2015-2136 and CVE-2015-6029. Affected users are recommended to update as soon as possible to ArcSight Logger v6.0 P2, or a subsequent release. HP has also released a Security Bulletin regarding CVE-2015-6029.

HP has begun to roll out updates addressing the remaining issues on all supported platforms, and expects to have all updates available by the end of October. In the meantime, consider the following workarounds:

Restrict access to the system and network

Restrict access to the arcsight user account. Network monitoring may help detect brute force password attempts.

Vendor Information

842252
 
Affected   Unknown   Unaffected

Hewlett-Packard Company

Notified:  July 20, 2015 Updated:  September 08, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Temporal 3.1 E:POC/RL:OF/RC:C
Environmental 2.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Hubert Mach and Julian Horoszkiewicz for reporting these issues to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2136, CVE-2015-6029, CVE-2015-6030
Date Public: 2015-10-19
Date First Published: 2015-10-19
Date Last Updated: 2015-10-26 05:00 UTC
Document Revision: 52

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.