CVE-2024-6358
📋 TL;DR
CVE-2024-6358 is an incorrect authorization vulnerability in OpenText ArcSight Intelligence that allows authenticated users to access resources or perform actions beyond their intended permissions. This affects organizations using vulnerable versions of ArcSight Intelligence for security analytics and threat detection.
💻 Affected Systems
- OpenText ArcSight Intelligence
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could escalate privileges to administrative levels, access sensitive security data, manipulate threat intelligence, or disrupt security monitoring operations.
Likely Case
Authorized users could access data or functions they shouldn't have permission to view, potentially exposing sensitive security information or configuration details.
If Mitigated
With proper access controls and network segmentation, impact would be limited to authorized users accessing slightly broader data sets than intended.
🎯 Exploit Status
Exploitation requires valid user credentials; the authorization bypass appears to be straightforward once authenticated
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in reference; consult vendor advisory for patched version
Vendor Advisory: https://portal.microfocus.com/s/article/KM000032595
Restart Required: Yes
Instructions:
1. Review the vendor advisory for specific patch details. 2. Download the appropriate patch from OpenText support portal. 3. Apply the patch following OpenText's installation procedures. 4. Restart ArcSight Intelligence services. 5. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Restrict Access Controls
allImplement additional access controls and review user permissions to minimize potential impact
Network Segmentation
allIsolate ArcSight Intelligence systems from general network access
🧯 If You Can't Patch
- Implement strict access controls and principle of least privilege for all ArcSight Intelligence users
- Monitor user activity logs for unusual access patterns or privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check your ArcSight Intelligence version against the vendor advisory for affected versionsCheck Version:
Check version through ArcSight Intelligence web interface or administration consoleVerify Fix Applied:
Verify patch installation through the ArcSight Intelligence administration interface and confirm version is updated📡 Detection & Monitoring
Log Indicators:
- Unusual user access patterns
- Access to resources beyond user role permissions
- Failed authorization attempts followed by successful access
Network Indicators:
- Unusual API calls to ArcSight Intelligence endpoints
- Access to administrative functions from non-admin accounts
SIEM Query:
source="arcsight" AND (event_type="authorization_failure" OR event_type="privilege_escalation")