Vulnerability Note VU#350508
HP ArcSight SmartConnector fails to properly validate SSL and contains a hard-coded password
Original Release date: 27 Oct 2015 | Last revised: 03 Nov 2015

Overview
The HP ArcSight SmartConnector fails to properly validate SSL certificates, and also contains a hard-coded password.

Description
CWE-295: Improper Certificate Validation – CVE-2015-2902
The ArcSight SmartConnector fails to validate the certificate of the upstream Logger device it is reporting logs to. An eavesdropper can perform a man-in-the-middle attack against log traffic.

CWE-259: Use of Hard-coded Password – CVE-2015-2903

Use of a default password (and no mechanism for changing it) in the CWSAPI SOAP service provided by ArcSight allows an an attacker to gain administrator credentials.

Impact
A remote attacker may be able to utilize a man-in-the-middle attack to read SSL-encrypted log traffic. A remote attacker may use the hard-coded password to gain root access to the device.

Solution
Apply an update

HP has released ArcSight SmartConnector 7.1.6, which addresses these issues. Affected users should update to version 7.1.6 or later as soon as possible.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedHewlett-Packard CompanyAffected08 Jul 201520 Oct 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
7.1
AV:A/AC:L/Au:S/C:C/I:C/A:N

Temporal
6.1
E:POC/RL:U/RC:UR

Environmental
4.6
CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04850932
http://cwe.mitre.org/data/definitions/259.html
http://cwe.mitre.org/data/definitions/295.html

Credit

Thanks to Jefferson Ogata for reporting this vulnerability to us.
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2015-2902
CVE-2015-2903

Date Public:
19 Oct 2015

Date First Published:
27 Oct 2015

Date Last Updated:
03 Nov 2015

Document Revision:
56

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply