[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Hyland OnBase 19.x and below - SQL Injection

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Hyland OnBase 19.x and below - SQL Injection
From: Adaptive Security Consulting via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Wed, 02 Sep 2020 14:50:46 +0000

CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and 
OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3 
were not available to test, but Hyland's response indicates that they are not 
likely to have fixed the vulnerabilities, especially given how numerous the 
instances of SQL injection are.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
Because Hyland OnBase largely relies on client-side validation, the server-side 
contains a number of critical SQL injection vulnerabilities, including 
Connection String injection, that allow remote users to execute arbitrary SQL 
queries as the database administrator. Additionally, the Connection String 
injection vulnerabilities allow unauthenticated users to connect OnBase to 
arbitrary SQL servers and execute arbitrary commands as the database 
administrator. An attacker may leverage these vulnerabilities to modify, 
delete, insert, or read arbitrary data inside the database, to probe backend 
services, to connect OnBase to a malicious or attacker-controlled SQL server, 
and other tasks.

Technical Details
-------------------------------------------------
OnBase 18 contains a number of direct string concatenations to form SQL queries 
and contains considerably more SQL injection flaws than 19 and above, however, 
all versions contain string concatenations within a series of important and 
unprotected actions, such as: TestConnection_LocalOrLinkedServer, 
CreateFilterFriendlyView, and AddWorkViewLinkedServer. By sending a SOAP 
request to the OnBase server querying the vulnerable service method and using 
the injection point any user can execute arbitrary SQL queries as the SQL 
administrator. In total, over fifty vulnerable methods were found in OnBase 19, 
and several hundred in OnBase 18, with many methods containing multiple 
vulnerable parameters (e.g. "TableName", "ColumnName", "Name", "UserId", and 
"Password"). Several of the vulnerable methods do not require the user to be 
authenticated, most allowed any authenticated user to access them, and a few 
were only available to people with special (but not administrative) permissions.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been 
rebuffed as not being something that they have to fix since fixing 
vulnerabilities, according to the Director of Application Security, is 
"creating custom code" and no known fix is in place. It is recommended that 
users try to mitigate the vulnerability by ensuring that the OnBase server is 
inaccessible to anyone other than trusted users and that a WAF be used (note 
that OnBase can use "optimized" communication that is pure binary -- if this is 
used, it will be much harder to configure the WAF to protect against these 
vulnerabilities).

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of 
vulnerabilities in medical records management and search applications being 
considered by our client
15 May 2019 - The client was provided with the results of the assessment, 
including POCs for a number of high and critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same 
vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application 
Security who said that fixing vulnerabilities was "writing custom code" and 
that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's 
Application Security Team via email on behalf of client, but attempts were 
ignored

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] SEC Consult SA-20200902-0 :: Multiple Vulnerabilities in Red Lion N-Tron 702-W, Red Lion N-Tron 702M12-W
Next by Date: [FD] Hyland OnBase 19.x and below - Insufficient Logging (Client-Side Enforcement of Server-Side Security)
Previous by thread: [FD] SEC Consult SA-20200902-0 :: Multiple Vulnerabilities in Red Lion N-Tron 702-W, Red Lion N-Tron 702M12-W
Next by thread: [FD] Hyland OnBase 19.x and below - Insufficient Logging (Client-Side Enforcement of Server-Side Security)
Index(es):
- Date
- Thread