CVE-2017-14358 in ArcSight ESM
Summary
by MITRE
A URL redirection to untrusted site vulnerability in HP ArcSight ESM and HP ArcSight ESM Express, in any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1. This vulnerability could be exploited remotely to allow URL redirection to untrusted site.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/05/2023
The vulnerability identified as CVE-2017-14358 represents a critical security flaw in HP ArcSight Enterprise Security Manager and HP ArcSight ESM Express platforms. This issue affects all versions in the 6.x release series prior to the specified patch levels, creating a significant risk for organizations relying on these security information and event management systems. The vulnerability manifests as an insecure direct object reference that allows malicious actors to manipulate URL redirection mechanisms within the application's user interface.
The technical flaw stems from insufficient validation of URL parameters within the application's redirection functionality. When users interact with certain web-based components of the ArcSight ESM platform, the system fails to properly sanitize or validate external URL references before executing redirection operations. This weakness enables attackers to craft malicious URLs that would redirect users to untrusted third-party domains without proper security checks or user confirmation. The vulnerability specifically impacts the web interface components that handle navigation and external link processing, making it particularly dangerous in environments where administrators or users might be tricked into clicking malicious links.
From an operational perspective, this vulnerability presents a substantial risk of phishing attacks and credential theft. Attackers could exploit this flaw by crafting deceptive URLs that appear legitimate within the ArcSight interface but redirect to malicious sites designed to capture user credentials or install malware. The remote exploitation capability means that threat actors do not require physical access to the network or administrative privileges to leverage this vulnerability. Organizations using affected versions of ArcSight ESM are particularly vulnerable during routine administrative tasks when users might encounter phishing links or when attackers compromise legitimate administrative sessions. The impact extends beyond simple credential theft to potentially enabling broader network compromise through the exploitation of other vulnerabilities that might be present in the redirected environments.
Security professionals should implement immediate mitigations including applying the vendor-released patches for both the 6.9.1c and 6.11.0 version lines as specified in the advisory. Network segmentation and monitoring of web traffic can help detect suspicious redirection attempts, while user education programs should emphasize the importance of verifying URL destinations before clicking. This vulnerability aligns with CWE-601 URL Redirection to Untrusted Site, which specifically addresses the risks associated with improper URL validation and redirection mechanisms. The threat landscape for this vulnerability intersects with ATT&CK techniques such as T1566 Phishing and T1071.004 Application Layer Protocol: Web Protocols, making it particularly concerning for organizations that do not maintain current patch management procedures. Organizations should also consider implementing web application firewalls and network access controls to limit exposure while patches are deployed, as the vulnerability's remote exploitability makes it particularly attractive to automated attack tools and threat actors seeking to compromise security monitoring infrastructure.