CVE-2020-25834

Vulnerability

Micro Focus ArcSight Logger version 7.1 contains a stored cross-site scripting (XSS) vulnerability in its web interface on TCP port 9000. The software fails to sanitize log event data received from Syslog messages. An attacker can send a crafted Syslog message containing HTML or JavaScript payloads to the ArcSight Connector (TCP/UDP 514), which is then parsed, stored, and displayed in the Logger web interface, resulting in stored XSS [1].

Exploitation

An attacker must have network access to the ArcSight Connector's Syslog port (TCP/UDP 514) from a system on the same network. Using a standard logger command or any UDP/TCP Syslog client, the attacker sends a message containing a malicious payload, for example: logger -n -P 514 -T "". The Connector forwards the event to ArcSight Logger, where the payload is stored and executed when an administrator views the log entry in the web interface. No authentication is required to send Syslog messages [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the Logger web interface. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, potentially compromising the SIEM management console [1].

Mitigation

Micro Focus released a patch for ArcSight Logger in version 7.1.1. Users should upgrade to v7.1.1 or later as soon as possible. No workaround is available beyond restricting Syslog source IP addresses via firewall rules to trusted hosts only [1].