1. Introduction
EMC RSA Archer versions prior to 6.7.0.3 (6.7 P3) and 6.6.0.6 are affected by multiple vulnerabilities, including URL injection and redirection flaws. These issues could allow an attacker to execute malicious JavaScript or redirect users to phishing sites. This affects organisations using the RSA Archer application for governance, risk and compliance management. A successful exploit could compromise confidentiality, integrity, and availability of data within the application.
2. Technical Explanation
The vulnerabilities stem from insufficient input validation in EMC RSA Archer prior to specific patch levels. An unauthenticated attacker can inject malicious URLs into the application, leading to either code execution or redirection. CVE-2020-5336 details a URL injection vulnerability and CVE-2020-5337 describes a URL redirection flaw.
- Root cause: Missing input validation allows arbitrary JavaScript code to be executed within the web application context, or malicious URLs to be injected.
- Exploit mechanism: An attacker crafts a malicious link containing the injected payload and tricks a user into clicking it. This can happen via phishing emails or compromised websites.
- Scope: EMC RSA Archer versions < 6.5.0.7, < 6.6.0.6 and < 6.7.0.1 are affected.
3. Detection and Assessment
To confirm vulnerability, check the installed version of RSA Archer. Thorough assessment involves scanning with a vulnerability scanner.
- Quick checks: Check the application ‘About’ page or server configuration files for the installed version number.
- Scanning: Nessus plugin ID 9524eeb5 can identify these vulnerabilities. This is an example only; other scanners may also provide detection.
- Logs and evidence: Review web server access logs for suspicious URL parameters or JavaScript code in requests.
# Example command placeholder:
# No specific command available, check application version via UI.
4. Solution / Remediation Steps
Apply the latest patch from the vendor to address these vulnerabilities.
4.1 Preparation
- A change window may be required, depending on your organisation’s policies. Approval from security or IT management might be needed.
4.2 Implementation
- Step 1: Download the latest RSA Archer patch (version 6.7.0.3 or later) from the vendor’s support portal.
- Step 2: Stop the RSA Archer application service.
- Step 3: Install the downloaded patch following the vendor’s instructions.
- Step 4: Start the RSA Archer application service.
4.3 Config or Code Example
Before
# No config example available, this is a software patch.
After
# No config example available, this is a software patch.
4.4 Security Practices Relevant to This Vulnerability
Input validation and regular patching are key practices for preventing these types of issues.
- Practice 1: Input validation prevents malicious code from being injected into the application.
- Practice 2: A consistent patch cadence ensures timely updates and mitigates known vulnerabilities.
4.5 Automation (Optional)
# No automation example available for this patch process.
5. Verification / Validation
Confirm the patch installation by checking the application version. Re-run vulnerability scans to verify the issue is resolved. Perform a smoke test of key functionality.
- Post-fix check: Check the application ‘About’ page and confirm the version is 6.7.0.3 or later.
- Re-test: Run Nessus plugin ID 9524eeb5 again; it should no longer report the vulnerability.
- Smoke test: Verify users can log in, access key reports, and perform standard tasks without issue.
- Monitoring: Monitor web server logs for any unexpected errors or suspicious activity.
# Post-fix command and expected output
# Application 'About' page shows version 6.7.0.3 (or later)
6. Preventive Measures and Monitoring
Update security baselines to include the latest patch levels. Implement regular vulnerability scanning in CI/CD pipelines.
- Baselines: Update your security baseline or policy to require RSA Archer version 6.7.0.3 or later.
- Pipelines: Add vulnerability scanning to your CI/CD pipeline to detect similar issues during development and deployment.
- Asset and patch process: Review and update the asset inventory and patch management processes to ensure timely updates for all applications.
7. Risks, Side Effects, and Roll Back
Patching may cause temporary service downtime or compatibility issues with other systems. Restore backups if needed.
- Risk or side effect 1: Patch installation could cause a brief service outage. Mitigate by scheduling during off-peak hours.
- Risk or side effect 2: Compatibility issues with custom integrations are possible. Test thoroughly in a non-production environment first.
- Roll back: Restore the RSA Archer database and configuration files from the pre-patch backup. Restart the application service.
8. References and Resources
- Vendor advisory or bulletin: https://support.rsa.com/support/knowledge/KBArticleDetails?articleNumber=000009364
- NVD or CVE entry: https://nvd.nist.gov/vuln/detail/CVE-2020-5336, https://nvd.nist.gov/vuln/detail/CVE-2020-5337
- Product or platform documentation relevant to the fix: https://documentation.rsa.com/en/products/archer/6-7/