CVE-2015-6237
📋 TL;DR
This vulnerability in Tripwire IP360 VnE Manager allows remote attackers to bypass authentication on the RPC service and perform privileged actions without credentials. Attackers can enumerate users, reset passwords, and manipulate IP filter restrictions. Organizations running vulnerable versions of Tripwire IP360 VnE Manager are affected.
💻 Affected Systems
- Tripwire IP360 VnE Manager (formerly nCircle IP360 VnE Manager)
📦 What is this software?
Ip360 by Tripwire
Ip360 by Tripwire
Ip360 by Tripwire
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Tripwire IP360 system allowing attackers to reset administrator passwords, disable IP filtering protections, and gain full control over the vulnerability management platform.
Likely Case
Attackers bypass authentication to enumerate users, reset passwords for privileged accounts, and modify IP restrictions to allow unauthorized access to the system.
If Mitigated
If proper network segmentation and access controls are in place, impact is limited to the Tripwire IP360 system itself without lateral movement to other critical assets.
🎯 Exploit Status
The vulnerability allows unauthenticated remote exploitation via crafted RPC commands. Public disclosure includes technical details sufficient for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.6 and later
Vendor Advisory: https://www.tripwire.com/state-of-security/vulnerability-management/ip360-vne-manager-security-update
Restart Required: Yes
Instructions:
1. Download Tripwire IP360 VnE Manager version 7.2.6 or later from Tripwire support portal. 2. Backup current configuration and data. 3. Install the updated version following Tripwire's upgrade documentation. 4. Restart the VnE Manager service.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to the Tripwire IP360 VnE Manager RPC service (default port 443) to only trusted management networks.
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Windows Firewall Rule
windowsCreate Windows Firewall rules to restrict access to the Tripwire service.
New-NetFirewallRule -DisplayName "Block Tripwire RPC" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Block
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Tripwire IP360 system from untrusted networks
- Monitor RPC service logs for authentication bypass attempts and unusual privileged command usage
🔍 How to Verify
Check if Vulnerable:
Check the Tripwire IP360 VnE Manager version via the web interface or by examining installed software version. Versions 7.2.2 through 7.2.5 are vulnerable.Check Version:
On Linux: rpm -qa | grep -i tripwire or dpkg -l | grep -i tripwire. On Windows: Check Programs and Features or registry entries.Verify Fix Applied:
Verify installation of version 7.2.6 or later and test that authentication is required for privileged RPC commands.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful privileged commands
- RPC service logs showing user enumeration or password reset attempts without proper authentication
Network Indicators:
- Unusual RPC traffic to Tripwire IP360 port 443 from unauthorized sources
- Multiple authentication bypass attempts
SIEM Query:
source="tripwire_logs" AND (event="user_enumeration" OR event="password_reset") AND auth_result="success" AND auth_method="none"