During the upgrade process from a CentOS7-based version to an AlmaLinux8-based version of product NETWITNESS, certain RPM packages that are not required in AlmaLinux8 are persisting on the system. These packages need to be properly removed during the upgrade process to ensure system security and integrity. The presence of these unnecessary packages poses a significant security risk due to the vulnerabilities associated with them.

CVE Identifier

wpa_supplicant: CVE-2021-0326, CVE-2021-27803

jasper-libs: CVE-2021-3272, CVE-2021-26927, CVE-2021-26926, CVE-2020-27828

libtiff: CVE-2020-35524, CVE-2020-35523, CVE-2020-35522, CVE-2020-35521, CVE-2020-19131, CVE-2022-22844, CVE-2022-1355, CVE-2022-0924, CVE-2022-0909, CVE-2022-0908, CVE-2022-0891, CVE-2022-0865, CVE-2022-0562, CVE-2022-0561, CVE-2022-3970, CVE-2022-3627, CVE-2022-48281, CVE-2023-0804, CVE-2023-0803, CVE-2023-0802, CVE-2023-0801, CVE-2023-0800

libwayland: CVE-2021-3782

Severity

Summary and Impact Analysis for NetWitness

The presence of unnecessary RPM packages from CentOS7 on AlmaLinux8 systems poses a security risk due to the vulnerabilities associated with these packages. Although these packages are no longer used in product NETWITNESS, their presence still represents a potential security threat.

•  wpa_supplicant (CVE-2021-0326, CVE-2021-27803): These vulnerabilities can lead to remote code execution and denial of service, particularly through Wi-Fi Direct searches and provision discovery requests. We don’t utilize WiFi direct in Netwitness.
•  jasper-libs (CVE-2021-3272, CVE-2021-26927, CVE-2021-26926, CVE-2020-27828): Issues include heap-based buffer over-reads, null pointer dereferences, out-of-bounds reads, and arbitrary out-of-bounds writes, potentially leading to crashes and information disclosure.
• libtiff (Multiple CVEs): Vulnerabilities such as heap-based buffer overflows, integer overflows, and memory allocation failures can lead to arbitrary code execution and denial of service.
• libwayland (CVE-2021-3782): This vulnerability can lead to denial of service through improper handling of certain inputs.

Exploiting these vulnerabilities typically requires elevated privileges, which means an attacker would need significant access to the system to leverage these flaws. However, to maintain the security posture of the system, it is crucial to remove these packages.

Potential for Exploitation

The vulnerabilities associated with the persistent RPM packages can be exploited by malicious actors to gain unauthorized access to the system, execute arbitrary code, or cause denial-of-service conditions. While these packages are not actively used in product NETWITNESS, their presence increases the attack surface. Exploitation generally requires elevated privileges, making it more challenging for attackers but still a significant risk.

Level of Risk Incurred and Introduced

The level of risk incurred by the presence of these packages is moderate to high due to the critical nature of the vulnerabilities. Even though the packages are not actively used by product NETWITNESS, their mere presence on the system increases the attack surface and potential for exploitation, especially if an attacker gains elevated privileges.
By not removing these unnecessary packages, the risk introduced to the system includes potential exploitation of known vulnerabilities, leading to unauthorized access, data breaches, and other security incidents. It is essential to mitigate this risk by ensuring these packages are removed during the upgrade process.

Affected Versions

Only the following NetWitness versions are impacted: 12.4.0.0, 12.4.1.0, 12.4.2.0, 12.5.0.0

Mitigation Steps

Remove Unnecessary Packages: Execute the following command to remove the identified packages:

• salt '*' cmd.run "dnf remove -y jasper-libs libwayland* libtiff wpa_supplicant"

Warning: Do not execute this command on NETWITNESS versions below 12.4, as these packages are required in those versions and removing them might impact the functionality of NETWITNESS. Additionally, do not execute the salt command in NETWITNESS setup in mixed mode. Execute the dnf command only on appliances where the issue is reported.

Verify Removal: Ensure that the packages have been successfully removed by checking the package list:

• rpm -qa | grep <package-name>

The fix for this issue will be part of version 12.5.1. Customers are advised to upgrade to NETWITNESS version 12.5.1 when it is released.

EOPS Policy

NetWitness has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Legal Information

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact NetWitness Customer Support. RSA Security LLC and its affiliates distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information.

RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.

In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.