HP Fixes ArcSight Vulnerabilities
Thursday, October 22, 2015 @ 02:10 PM gHale
HP updated its ArcSight enterprise security management software to fix vulnerabilities, officials said.
An advisory published by CERT said ArcSight Logger, a log management software tool, suffers from an authentication bypass vulnerability (CVE-2015-2136) that allows a remote, authenticated user without Logger Search permissions to conduct searches through the SOAP interface.
In addition, another SOAP interface issue is an improper restriction of excessive authentication attempts (CVE-2015-6029). The vulnerability allows a remote, unauthenticated attacker to conduct brute force attacks on the SOAP interface in an effort to guess user passwords. ArcSight Logger does not log or block incorrect logins, and repeated attempts to enter the password don’t trigger any alerts.
The last flaw found in HP ArcSight products is an “insufficient compartmentalization.”
“Several key files for ArcSight are owned by the arcsight user, but are executed with root privileges,” CERT wrote in its advisory. “This may allow a user with arcsight credentials to escalate privileges to root when running commands.”
The potential risk, while a first blush may be serious, it ends up mitigated because in practice only system administrators know the credentials for the “arcsight” user. If it turns out these credentials can end up garnered through another method, the impact rating of the vulnerability will change, CERT said.
The authentication bypass and brute force issues affect ArcSight Logger 188.8.131.5207.1 and possibly other versions. The compartmentalization flaw affects ArcSight Logger 184.108.40.20607.1, ArcSight Command Center 220.127.116.116.0, and ArcSight Connector Appliance 18.104.22.16881.3. Other versions of these products and ArcSight SmartConnector for UNIX-like systems might also suffer from the issues.
Hubert Mach and Julian Horoszkiewicz reported the vulnerabilities.
HP released ArcSight Logger v6.0 P2 to address the authentication bypass vulnerability. The company has also started releasing updates to resolve the other flaws. Until these updates become available users should restrict access to the “arcsight” account, and monitor network traffic in order to detect potential brute force attacks.