CVE-2023-48641
📋 TL;DR
Archer Platform 6.x contains an insecure direct object reference vulnerability that allows authenticated malicious users in multi-instance installations to bypass authorization checks by manipulating application resource references. This enables unauthorized execute access to AWF application resources. Only multi-instance Archer Platform 6.x installations before version 6.14 P1 HF2 are affected.
💻 Affected Systems
- Archer Platform
📦 What is this software?
Archer by Archerirm
Archer by Archerirm
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated user gains unauthorized execute access to AWF application resources, potentially leading to data manipulation, privilege escalation, or disruption of business workflows.
Likely Case
Authenticated attacker with malicious intent bypasses authorization controls to access or modify AWF resources they shouldn't have access to, potentially compromising data integrity.
If Mitigated
With proper access controls and monitoring, impact is limited to attempted unauthorized access that can be detected and blocked.
🎯 Exploit Status
Requires authenticated access and multi-instance environment; attacker needs to understand Archer resource reference structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.14 P1 HF2 (6.14.0.1.2) or later
Vendor Advisory: https://www.archerirm.community/t5/platform-announcements/archer-update-for-multiple-vulnerabilities/ta-p/711859
Restart Required: Yes
Instructions:
1. Download Archer Platform 6.14 P1 HF2 or later from RSA support portal. 2. Apply the patch following Archer upgrade procedures. 3. Restart Archer services. 4. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Temporary Access Restriction
allImplement additional access controls and monitoring for AWF application resources while awaiting patch.
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles for all Archer users.
- Enable detailed logging and monitoring for AWF resource access attempts.
🔍 How to Verify
Check if Vulnerable:
Check Archer Platform version in Administration > System Configuration > About. If version is 6.x and less than 6.14.0.1.2, and installation is multi-instance, system is vulnerable.Check Version:
Check via Archer web interface: Administration > System Configuration > AboutVerify Fix Applied:
Verify version shows 6.14.0.1.2 or higher in Administration > System Configuration > About.📡 Detection & Monitoring
Log Indicators:
- Unusual AWF resource access patterns
- Failed authorization attempts for AWF resources
- Multiple resource reference manipulation attempts
Network Indicators:
- Unusual API calls to AWF endpoints
- Patterns of resource ID manipulation in requests
SIEM Query:
source="archer" AND (event_type="access_denied" OR resource="awf") AND user!="system"