Vulnerabilities > CVE-2019-3716 - Information Exposure Through Log Files vulnerability in RSA Archer GRC Platform

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
rsa
CWE-532
nessus

Summary

RSA Archer versions, prior to 6.5 SP2, contain an information exposure vulnerability. The database connection password may get logged in plain text in the RSA Archer log files. An authenticated malicious local user with access to the log files may obtain the exposed password to use it in further attacks.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fuzzing and observing application log data/errors for application mapping
    An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Nessus

NASL familyCGI abuses
NASL idEMC_RSA_ARCHER_6_5_0_2_INFO_DISCLOSURE.NASL
descriptionThe version of EMC RSA Archer running on the remote web server is prior to 6.4.1.5 or 6.5.x < 6.5.0.2. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in RSA Archer versions, prior to 6.5 SP1 (6.5.0.1). An authenticated malicious local user with access to the log files may obtain user session information to use it in further attacks. (CVE-2019-3715) - An information disclosure vulnerability exists in RSA Archer versions, prior to 6.5 SP2 (6.5.0.2). An authenticated malicious local user with access to the log files may obtain the database connection password to use it in further attacks. (CVE-2019-3716) Note that version 6.4 SP1 P5 (6.4.1.5) also fixed these vulnerabilities.
last seen2020-06-01
modified2020-06-02
plugin id122649
published2019-03-07
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/122649
titleEMC RSA Archer < 6.4.1.5 / 6.5.x < 6.5.0.2 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(122649);
  script_version("1.4");
  script_cvs_date("Date: 2019/10/31 15:18:51");

  script_cve_id("CVE-2019-3715", "CVE-2019-3716");
  script_bugtraq_id(107406, 107443);
  script_xref(name:"IAVB", value:"2019-B-0017");

  script_name(english:"EMC RSA Archer < 6.4.1.5 / 6.5.x < 6.5.0.2 Multiple Vulnerabilities");
  script_summary(english:"Checks for the product and version in the login page.");

  script_set_attribute(attribute:"synopsis", value:
"An application running on the remote host is affected by an
information disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of EMC RSA Archer running on the remote web server is
prior to 6.4.1.5 or 6.5.x < 6.5.0.2. It is, therefore, affected by
multiple vulnerabilities :

  - An information disclosure vulnerability exists in RSA Archer
    versions, prior to 6.5 SP1 (6.5.0.1). An authenticated malicious
    local user with access to the log files may obtain user session
    information to use it in further attacks. (CVE-2019-3715)

  - An information disclosure vulnerability exists in RSA Archer
    versions, prior to 6.5 SP2 (6.5.0.2). An authenticated malicious
    local user with access to the log files may obtain the database
    connection password to use it in further attacks. (CVE-2019-3716)

Note that version 6.4 SP1 P5 (6.4.1.5) also fixed these
vulnerabilities.");
  script_set_attribute(attribute:"see_also", value:"https://community.rsa.com/docs/DOC-101227");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2019/Mar/19");
  script_set_attribute(attribute:"solution", value:
"Upgrade to EMC RSA Archer version 6.4.1.5 / 6.5.0.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3716");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/02/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:emc:rsa_archer_egrc");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("emc_rsa_archer_detect.nbin");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("vcf.inc");

app_name = "EMC RSA Archer";
port = get_http_port(default:80);

app_info = vcf::get_app_info(app:app_name, webapp:TRUE, port:port);

constraints = [
  # 6.5.x
  {"min_version" : "6.5.0", "fixed_version" : "6.5.200", "fixed_display" : "6.5 P2 (6.5.0.2)" },
  # All versions < 6.4.1.5 are vulnerable
  {"fixed_version" : "6.4.10500", "fixed_display" : "6.4 SP1 P5 (6.4.1.5)" }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);