CVE-2024-28058 – This vulnerability in RSA NetWitness Platform a... (How to Fix)

Q: What is the severity of CVE-2024-28058?

CVE-2024-28058 has a CVSS score of 7.5 (HIGH). This vulnerability in RSA NetWitness Platform allows an internal threat actor to impersonate a user whose access has been revoked but who still has an active session, leading to unauthorized access to sensitive data. It affects RSA NetWitness Platform administrators and users with revoked access. The issue stems from improper session management when user privileges are revoked.

📋 TL;DR

This vulnerability in RSA NetWitness Platform allows an internal threat actor to impersonate a user whose access has been revoked but who still has an active session, leading to unauthorized access to sensitive data. It affects RSA NetWitness Platform administrators and users with revoked access. The issue stems from improper session management when user privileges are revoked.

💻 Affected Systems

Products:

RSA NetWitness Platform

Versions: All versions before 12.5.1

Operating Systems: All supported OS for RSA NetWitness Platform

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments where user access revocation occurs while sessions remain active. The vulnerability is present in the session management component.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An internal malicious actor could impersonate any recently revoked user with an active session, gaining unauthorized access to sensitive investigation data, logs, and platform configurations, potentially leading to data exfiltration or further privilege escalation.

🟠

Likely Case

An internal user with knowledge of the vulnerability could exploit it to access data they shouldn't have permission to view, particularly targeting users whose access was recently revoked during role changes or terminations.

🟢

If Mitigated

With proper monitoring and quick session termination procedures, the window of opportunity is reduced, limiting potential data exposure to brief periods after user revocation.

🌐 Internet-Facing: LOW - This vulnerability requires internal access to the NetWitness platform and knowledge of revoked user sessions.

🏢 Internal Only: HIGH - The vulnerability specifically targets internal threat actors who have access to the NetWitness environment and can identify revoked users with active sessions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires internal access to the NetWitness platform and knowledge of revoked user sessions. The technique involves session hijacking/impersonation rather than complex technical manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.5.1

Vendor Advisory: https://community.netwitness.com/t5/netwitness-platform-product/nw-2024-06-netwitness-platform-broken-access-control/ta-p/719454

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download RSA NetWitness Platform version 12.5.1 from RSA support portal. 3. Follow RSA's upgrade documentation for your deployment type. 4. Apply the update to all components. 5. Restart all NetWitness services. 6. Verify all components are running on version 12.5.1.

🔧 Temporary Workarounds

Force session termination on user revocation

all

Manually terminate all active sessions for users immediately when revoking their access through administrative controls.

Use RSA NetWitness administrative interface to view and terminate active user sessions when revoking access

Reduce session timeout

all

Decrease session timeout values to limit the window where revoked users' sessions remain active.

Configure shorter session timeout in NetWitness Platform settings (exact commands depend on deployment)

🧯 If You Can't Patch

Implement strict monitoring of user session activity, especially around user access revocation events
Establish procedures to immediately terminate all active sessions when revoking user access, and verify termination

🔍 How to Verify

Check if Vulnerable:

Check NetWitness Platform version via administrative interface. If version is below 12.5.1, the system is vulnerable.

Check Version:

Check version in NetWitness Platform web interface under Administration > System > About, or use platform-specific CLI commands depending on deployment

Verify Fix Applied:

Confirm version is 12.5.1 or higher in administrative interface, then test by revoking a test user's access while they have an active session and attempting to use that session.

📡 Detection & Monitoring

Log Indicators:

Multiple successful logins from same user after access revocation
Access patterns from revoked user accounts
Administrative actions to revoke user access followed by activity from those users

Network Indicators:

Unusual authentication patterns from internal IPs
Session reuse after privilege changes

SIEM Query:

source="netwitness" (event_type="user_revoked" OR "access_removed") AND (event_type="user_login" OR "session_start") | stats count by user, src_ip within 1h

📊 Metadata

CVE ID: CVE-2024-28058

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-276

Published: November 18, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28058, you might also want to check these: