https://www.cnblogs.com/iAmSoScArEd/

SEC Consult Vulnerability Lab Security Advisory < 20190515-0 >
=======================================================================
  title: Authorization Bypass
  product: RSA NetWitness
  vulnerable version: <10.6.6.1, <11.2.1.1
  fixed version: 10.6.6.1, 11.2.1.1
  CVE number: CVE-2019-3724
  impact: Medium
  homepage: https://www.rsa.com
  found: 2018-09-18
  by: Mantas Juskauskas (Office Vilnius)
  SEC Consult Vulnerability Lab

  An integrated part of SEC Consult
  Europe | Asia | North America

  https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber
threats. With RSA's award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities;
and ultimately, reduce IP theft, fraud, and cybercrime."

Source: https://www.rsa.com/en-us/company/about

Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory an unauthorized
attacker can access an administrative resource that may contain plain text
credentials to a 3rd party system.

The vendor provides a patch which should be installed on affected systems.

Vulnerability overview/description:
-----------------------------------
The authorization mechanism provided by the platform is prone to an authorization
bypass vulnerability, which can be easily exploited by authenticated (but low
privileged) remote attackers for gaining access to administrative information
including plaintext passwords.

Proof of concept:
-----------------
A logged-in low privileged user (e.g. with role Analyst) is able to access
an administrative resource by calling the following URL:

https://[host]/admin/system/whois/properties

After the above URL is accessed, the server returns the following HTTP response
that contains sensitive information to a 3rd party whois service including
plaintext passwords:

HTTP/1.1 200 OK
Server: nginx
Date: [snip]
Content-Type: application/json;charset=UTF-8
Connection: close
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: [snip]
Content-Length: 795

{"success":true,"data":{"queryUrl":"https://[snip]","authUrl":"https://[snip]","userId":"[snip]","pw":"[snip]","allowedRequests":100,"allowedRequestsInterval":60,"queueMaxSize":100000,"cacheMaxSize":50000,"refreshInterval":30,"waitForHttpRequests":true,"settings":{"query-url":"https://[snip]","queue-max-size":100000,"password":"[snip]","allowed-requests":100,"auth-url":"https://[snip]","user-id":"[snip]","refresh-interval-seconds":{"seconds":2592000,"milliSeconds":2592000000},"cache-max-size":50000,"wait-for-http-request":true,"allowed-requests-interval-seconds":{"seconds":60,"milliSeconds":60000}}}}

Vulnerable / tested versions:
-----------------------------
The identified vulnerability has been verified to exist in the
RSA NetWitness platform, version 11.1.0.1.

According to the vendor, platform version 10 is also affected.

The following versions are vulnerable:
* <10.6.6.1
* <11.2.1.1

Vendor contact timeline:
------------------------
2018-10-01: Contacting vendor through PGP via secure@dell.com
2018-10-02: Vendor acknowledges the information was received, forwards
            the info to the relevant department
2018-10-11: Vendor confirms the impact of the authorization issue,
            starts to work on the remediation timeline
2018-10-15: Vendor provides additional information
2018-10-22: Contacting vendor to provide the remediation timeline
2018-10-23: Further email exchange related to the remediation timeline
2019-01-18: Vendor provides an update on the fix timeline
2019-03-05: Asking for a status update
2019-03-06: Vendor provides a status update on the release, patch for
            platform version 11 will be released in March, version 10
            Mid-April
2019-04-01: Asking for a specific release date & further status update
2019-04-01: Vendor: release is scheduled for 23rd April 2019, but may change,
            they will inform us
2019-05-06: Asking for a status update; no answer
2019-05-09: Noticed that the new release is online fow a while now, asking
            the vendor for a status update again
2019-05-09: Vendor: published security advisory URL and CVE
2019-05-15: SEC Consult advisory release

Solution:
---------
The following patched versions address the identified issue:
* 11.2.1.1
* 10.6.6.1

Security advisory of the vendor: https://community.rsa.com/docs/DOC-104202

The vendor specifically told us that version 11.3 is not affected by this
vulnerability.

Workaround:
-----------
None

Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Juskauskas / @2019

Authorization Bypass in RSA NetWitness的更多相关文章

  1. Kali linux 2016.2(Rolling)中的Exploits模块详解

    简单来将,这个Exploits模块,就是针对不同的已知漏洞的利用程序. root@kali:~# msfconsole Unable to handle kernel NULL pointer der ...

  2. StrongSwan 5.1.1 发布,Linux 的 IPsec 项目

    StrongSwan是一个完整的2.4和2.6的Linux内核下的IPsec和IKEv1 的实现.它也完全支持新的IKEv2协议的Linux 2.6内核.结合IKEv1和IKEv2模式与大多数其他基于 ...

  3. Metasploit辅助模块

    msf > show auxiliary Auxiliary ========= Name                                                  Di ...

  4. Magic Quadrant for Security Information and Event Management

    https://www.gartner.com/doc/reprints?id=1-4LC8PAW&ct=171130&st=sb Summary Security and risk ...

  5. Bug Bounty Reference

    https://github.com/ngalongc/bug-bounty-reference/blob/master/README.md#remote-code-execution Bug Bou ...

  6. [Hive - LanguageManual ] ]SQL Standard Based Hive Authorization

    Status of Hive Authorization before Hive 0.13 SQL Standards Based Hive Authorization (New in Hive 0. ...

  7. linux下ssh使用rsa验证登陆MACOX

    由于项目的需求,我这边ubuntu下常常需要SSH访问另外一台MACOS. 每次输入密码有点烦,就想到RSA公钥和密钥验证的方法. 像所有教程上讲的一样,本机执行 gong@hzsx:~$ ssh-k ...

  8. RSA, ACS5.X 集成配置

    目的是RSA和ACS集成,ACS作为RADIUS服务器提供二次验证服务. ①配置RSA SecurID Token Servers   按照如下网址配置: http://www.cisco.com/c ...

  9. Linux-ssh的rsa认证登录配置

    首先看一下实验环境: [root@localhost ~]# cat /proc/version #ip 192.168.254.130 Linux version 2.6.32-431.el6.x8 ...

随机推荐

  1. ES6深入浅出-7 新版的类(上集)-2.介绍JS中的类

    声明对象原型,公有属性. obj对象,它用一个属性__proto__记录了自己的原型 改掉它的原型为公有属性.那么obj这个对象及有了hi的方法.因为obj自己没有hi.那么就去自己的原型上去找了. ...

  2. log4j 异常时在日志文件里面显示空的。

    如下图所示,输入的时候不要写 e.getStackTrace() 一般情况下不会出问题,但有时候就会出问题 解决方案

  3. C++接口的概念

    满足下面条件: 1.类中没有定义任何的成员变量 2.所有的成员函数都是公有的 3.所有的成员函数都是纯虚函数 4.接口是一种特殊的抽象类

  4. nginx调优(二)

    nginx调优(一) (1).Fastcgi调优 FastCGI全称快速通用网关接口(FastCommonGatewayInterface),可以认为FastCGI是静态服务和动态服务的一个接口.Fa ...

  5. 【Leetcode_easy】872. Leaf-Similar Trees

    problem 872. Leaf-Similar Trees 参考 1. Leetcode_easy_872. Leaf-Similar Trees; 完

  6. android基础---->Parcelable的使用

     android中Parcelable序列化的使用,简单的记录一下. 目录导航: Serializable在android中的使用 Parcelable在android中的使用 Serializabl ...

  7. 乐字节Java|封装JavaBean、继承与权限修饰

    本文继续讲Java封装.上一篇:乐字节Java|GC垃圾回收机制.package和import语句 这次讲述JavaBean.继承与权限修饰 一. 封装javaBean 封装(Encapsulatio ...

  8. Java基础笔试练习(二)

    1. HashMap的数据结构是怎样的? A.数组 B.链表 C.数组+链表 D.二叉树 答案: C 解析: JDK8以后,HashMap的数据结构是数组+链表+红黑树 2. 在 JAVA 编程中,J ...

  9. 长乐培训Day9

    T1 立方数 题目 [题目描述] 作为XX战队的狂热粉丝,MdZzZZ看到了自己心仪的队伍在半决赛落败,顿时心灰意冷.看着自己手中的从黄牛那里抢来的天价总决赛门票,MdZzZZ觉得去鸟巢已经没有意义了 ...

  10. CSS样式三种形式222

    markdown CSS基本表现形式只有三种:标签样式.Class类样式.ID样式 标签样式: 必须与HTML标签同名.仅仅影响同名标签 Class样式:可以在任何标签中使用: class=" ...