During the upgrade process from a CentOS7-based version to an AlmaLinux8-based version of product NETWITNESS, certain RPM packages that are not required in AlmaLinux8 are persisting on the system. These packages need to be properly removed during the upgrade process to ensure system security and integrity. The presence of these unnecessary packages poses a significant security risk due to the vulnerabilities associated with them.
CVE Identifier
wpa_supplicant: CVE-2021-0326, CVE-2021-27803
jasper-libs: CVE-2021-3272, CVE-2021-26927, CVE-2021-26926, CVE-2020-27828
libtiff: CVE-2020-35524, CVE-2020-35523, CVE-2020-35522, CVE-2020-35521, CVE-2020-19131, CVE-2022-22844, CVE-2022-1355, CVE-2022-0924, CVE-2022-0909, CVE-2022-0908, CVE-2022-0891, CVE-2022-0865, CVE-2022-0562, CVE-2022-0561, CVE-2022-3970, CVE-2022-3627, CVE-2022-48281, CVE-2023-0804, CVE-2023-0803, CVE-2023-0802, CVE-2023-0801, CVE-2023-0800
libwayland: CVE-2021-3782
Severity
CVE ID
Package Impacted
NVD Severity
Comment
CVE-2021-0326
wpa_supplicant
Major
CVE-2021-27803
wpa_supplicant
Major
CVE-2021-3272
jasper-libs
Moderate
CVE-2021-26927
jasper-libs
Moderate
CVE-2021-26926
jasper-libs
Major
CVE-2020-27828
jasper-libs
Major
CVE-2020-35524
libtiff
Major
CVE-2020-35523
libtiff
Major
CVE-2020-35522
libtiff
Moderate
CVE-2020-35521
libtiff
Moderate
CVE-2020-19131
libtiff
Major
CVE-2022-22844
libtiff
Moderate
CVE-2022-1355
libtiff
Moderate
CVE-2022-0924
libtiff
Moderate
CVE-2022-0909
libtiff
Moderate
CVE-2022-0908
libtiff
Moderate
CVE-2022-0891
libtiff
Major
CVE-2022-0865
libtiff
Moderate
CVE-2022-0562
libtiff
Moderate
CVE-2022-0561
libtiff
Moderate
CVE-2022-3970
libtiff
Major
CVE-2022-3627
libtiff
Moderate
CVE-2022-48281
libtiff
Moderate
CVE-2023-0804
libtiff
Moderate
CVE-2023-0803
libtiff
Moderate
CVE-2023-0802
libtiff
Moderate
CVE-2023-0801
libtiff
Moderate
CVE-2023-0800
libtiff
Moderate
CVE-2021-3782
wyland
Moderate
Summary and Impact Analysis for NetWitness
The presence of unnecessary RPM packages from CentOS7 on AlmaLinux8 systems poses a security risk due to the vulnerabilities associated with these packages. Although these packages are no longer used in product NETWITNESS, their presence still represents a potential security threat.
wpa_supplicant (CVE-2021-0326, CVE-2021-27803): These vulnerabilities can lead to remote code execution and denial of service, particularly through Wi-Fi Direct searches and provision discovery requests. We don’t utilize WiFi direct in Netwitness.
jasper-libs (CVE-2021-3272, CVE-2021-26927, CVE-2021-26926, CVE-2020-27828): Issues include heap-based buffer over-reads, null pointer dereferences, out-of-bounds reads, and arbitrary out-of-bounds writes, potentially leading to crashes and information disclosure.
libtiff (Multiple CVEs): Vulnerabilities such as heap-based buffer overflows, integer overflows, and memory allocation failures can lead to arbitrary code execution and denial of service.
libwayland (CVE-2021-3782): This vulnerability can lead to denial of service through improper handling of certain inputs.
Exploiting these vulnerabilities typically requires elevated privileges, which means an attacker would need significant access to the system to leverage these flaws. However, to maintain the security posture of the system, it is crucial to remove these packages.
Potential for Exploitation
The vulnerabilities associated with the persistent RPM packages can be exploited by malicious actors to gain unauthorized access to the system, execute arbitrary code, or cause denial-of-service conditions. While these packages are not actively used in product NETWITNESS, their presence increases the attack surface. Exploitation generally requires elevated privileges, making it more challenging for attackers but still a significant risk.
Level of Risk Incurred and Introduced
The level of risk incurred by the presence of these packages is moderate to high due to the critical nature of the vulnerabilities. Even though the packages are not actively used by product NETWITNESS, their mere presence on the system increases the attack surface and potential for exploitation, especially if an attacker gains elevated privileges. By not removing these unnecessary packages, the risk introduced to the system includes potential exploitation of known vulnerabilities, leading to unauthorized access, data breaches, and other security incidents. It is essential to mitigate this risk by ensuring these packages are removed during the upgrade process.
Affected Versions
Only the following NetWitness versions are impacted: 12.4.0.0, 12.4.1.0, 12.4.2.0, 12.5.0.0
Mitigation Steps
Remove Unnecessary Packages: Execute the following command to remove the identified packages:
salt '*' cmd.run "dnf remove -y jasper-libs libwayland* libtiff wpa_supplicant"
Warning: Do not execute this command on NETWITNESS versions below 12.4, as these packages are required in those versions and removing them might impact the functionality of NETWITNESS. Additionally, do not execute the salt command in NETWITNESS setup in mixed mode. Execute the dnf command only on appliances where the issue is reported.
Verify Removal: Ensure that the packages have been successfully removed by checking the package list:
rpm -qa | grep <package-name>
The fix for this issue will be part of version 12.5.1. Customers are advised to upgrade to NETWITNESS version 12.5.1 when it is released.
EOPS Policy
NetWitness has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.
Legal Information
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact NetWitness Customer Support. RSA Security LLC and its affiliates distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information.
RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.
In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
... View more