CVE-2015-6237 - Tripwire IP360 VnE Remote Administrative API Authentication Bypass/Privilege Acquisition Vulnerability

[Specto <specto () custodela com>]

Document Title
================
Tripwire IP360 VnE Remote Administrative API Authentication
Bypass/Privilege Acquisition Vulnerability


Affected Products
===================
Vendor: Tripwire
Software/Appliance: IP360 VnE Vulnerability Manager
Affected (verified) versions: v7.2.2 -> v7.2.5


CVE
=====
CVE-2015-6237


CVSS
=======
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/RL:O/RC:C
Base Score: 10.0
Temporal Score: 9.5


Rating
=========
Critical


Vulnerability Summary
======================

The IP350 VnE is susceptible to a remote XML-RPC authentication
bypass vulnerability, which allows for specially crafted privileged
commands to be remotely executed without authentication. The RPC
service is available on the public HTTPS interface of the VnE by
default, and cannot be disabled.


Impact
========

Successful exploitation will allow a remote unauthenticated
attacker to execute commands and queries against the API normally
only available to privileged users. Attack vectors include the
ability to enumerate all local/remote users, reset any password of
a user on the system, and manipulate IP filter restrictions for any
user. Users configured to use external authentication sources (e.g.
LDAP) can have a local password created and made usable by an
attacker while the authorized user continues to use external
authentication. The combined vectors could allow for remote
administrative privilege acquisition.


Remediation
=============
Update to v7.2.6


Credits
==========
This vulnerability was discovered and reported by Specto
(specto [at] custodela [dot] com).


Relevant Timeline
====================

18/08/2015: Initial vendor contact
19/08/2015: Vulnerability provided to vendor
19/08/2015: Vulnerability accepted by vendor
25/08/2015: Vulnerability confirmed by vendor
30/09/2015: Update with vulnerability fix released by vendor
01/10/2015: Advisory posted