Improper Authentication in Tripwire Enterprise 9.1 APIs

FI-2024-006 - Improper Authentication in Tripwire Enterprise 9.1 APIs

Severity
Critical
Published Date
03-Jun-2024
Updated Date
03-Jun-2024
Vulnerabilities
CVE-2024-4332
 
Notes
Description

An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional "Auto-synchronize LDAP Users, Roles, and Groups" feature is enabled. This vulnerability allows unauthenticated attackers to bypass authentication if a valid username is known. Exploitation of this vulnerability could allow remote attackers to gain privileged access to the APIs and lead to unauthorized information disclosure or modification.

 

Vulnerabilities

 
Improper Authentication in Tripwire Enterprise 9.1 APIs
Severity
Critical
CVE
CVE-2024-4332
CWE
CWE-303:Incorrect Implementation of Authentication Algorithm
Discovery Date
25-Apr-2024
CSSv3.1
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products
Tripwire Enterprise 9.1.0
Vulnerability Notes
Other

Tripwire ExpertOps was not affected by this vulnerability

 
Remediation: Vendor Fix

Upgrade to Tripwire Enterprise 9.1.1 to remediate this vulnerability.

If you are using the LDAP/Active Directory system login method with "Auto Synchronize LDAP Users, Roles, and Groups" checked and are unable to upgrade, the issue may be mitigated by disabling "Auto Synchronize LDAP Users, Roles, and Groups" in the Settings manager under the "Login Method".  While this will mitigate the vulnerability, it will also disable API access. To continue using the TE APIs, you will need to upgrade or choose a different login method.

Users who have not enabled Auto Synchronize are unaffected, as are those who are on versions prior to 9.1.0. However, Fortra strongly recommends upgrading to the latest release. 

 
References
 

References