HP has started releasing software updates for its ArcSight enterprise security management solution to address a series of vulnerabilities reported by researchers.
An advisory published by CERT on Monday shows that ArcSight Logger, a log management software tool, is plagued by an authentication bypass vulnerability (CVE-2015-2136) that allows a remote, authenticated user without Logger Search permissions to conduct searches through the SOAP interface.
Another security issue related to the SOAP interface has been described by CERT as improper restriction of excessive authentication attempts (CVE-2015-6029). The weakness allows a remote, unauthenticated attacker to conduct brute force attacks on the SOAP interface in an effort to guess user passwords. The problem is that ArcSight Logger does not log or block incorrect logins, and repeated attempts to enter the password don’t trigger any alerts.
The last flaw found in HP ArcSight products has been classified as “insufficient compartmentalization” (CVE-2015-6030).
“Several key files for ArcSight are owned by the arcsight user, but are executed with root privileges. This may allow a user with arcsight credentials to escalate privileges to root when running commands,” CERT wrote in its advisory.
This could be a serious issue, but the potential risk is mitigated because in practice only system administrators appear to know the credentials for the “arcsight” user. If it turns out that these credentials can be obtained through another method, the impact rating of the vulnerability will be changed, CERT noted.
The authentication bypass and brute force issues affect ArcSight Logger 220.127.116.1107.1 and possibly other versions. The compartmentalization flaw affects ArcSight Logger 18.104.22.16807.1, ArcSight Command Center 22.214.171.1246.0, and ArcSight Connector Appliance 126.96.36.19981.3. Other versions of these products and ArcSight SmartConnector for UNIX-like systems might also be impacted.
Hubert Mach and Julian Horoszkiewicz have been credited for finding and reporting these issues.
HP has already released ArcSight Logger v6.0 P2 to address the authentication bypass vulnerability. The company has also started releasing updates to resolve the other flaws. Until these updates become available — HP estimates to complete the task by November — users are advised to restrict access to the “arcsight” account, and monitor network traffic in order to detect potential brute force attacks.
Last week, Rapid7 reported finding a command injection flaw in HP SiteScope. While the issue sounds severe, HP has not released any updates, arguing that its product documentation covers the concern.