[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Hyland OnBase 19.x and below - Insufficient Authorization (Client-Side Enforcement of Server-Side Security)

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Hyland OnBase 19.x and below - Insufficient Authorization (Client-Side Enforcement of Server-Side Security)
From: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Sat, 05 Sep 2020 10:09:54 +0000

CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and 
OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3 
were not available to test, but Hyland's response indicates that they are not 
likely to have fixed the vulnerabilities, especially given how numerous the 
instances of authorization bypass are.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
Because Hyland OnBase largely relies on client-side validation, the server-side 
contains a number of critical authorization bypass vulnerabilities, allowing 
both unauthenticated and underprivileged users access to administrative and 
non-administrative actions. All users are able to read and write to arbitrary 
medical record without proper permission, unauthenticated users including those 
who are not authenticated can leverage administrative functions to read or 
modify the server's configuration, and any user can get the list of 
administrators and even modify their own permissions. All versions of OnBase 
were found to be equally vulnerable.

Technical Details
-------------------------------------------------
OnBase's reliance on client-side validation means that most server-side methods 
fail to properly check a user's authorization before allowing them access to 
the functionality. By directly accessing the server attackers can bypass 
client-side authorization, executing almost any action. In some cases, the 
OnBase server appears to check the user's authorization after performing the 
action or carries out the action even though it has verified that the user does 
not have the appropriate permissions. In other instances, the OnBase server 
fails to even verify that the user is authenticated. Administrative 
functionality, such as getting the list of all users, getting all user data, 
adding users, removing users, and modifying permissions are all accessable by 
unauthorized users through direct calls to the OnBase server. Server 
administrative functions also fail to properly validate a user's credentials, 
allowing both unauthorized and unauthenticated users to reconfigure the SQL 
server
  that On
 Base uses, grab the list of all configured DCNs, add custom filters, and other 
actions. Unauthorized users could even access medical record information or 
patient data by directly querying the OnBase server.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been 
rebuffed as not being something that they have to fix since fixing 
vulnerabilities, according to the Director of Application Security, is 
"creating custom code" and no known fix is in place. It is recommended that 
users try to mitigate the vulnerability by ensuring that the OnBase server is 
inaccessible to anyone other than trusted users.

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of 
vulnerabilities in medical records management and
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, 
including POCs for a number of high and
critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same 
vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application 
Security who said that fixing vulnerabilities was "writing custom code" and 
that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's 
Application Security Team via email on behalf of client, but attempts were 
ignored

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Open Source Tool | vPrioritization | Risk Prioritization Framework
Next by Date: [FD] Hyland OnBase 19.x and below - Log Injection And Denial Of Service
Previous by thread: [FD] Open Source Tool | vPrioritization | Risk Prioritization Framework
Next by thread: [FD] Hyland OnBase 19.x and below - Log Injection And Denial Of Service
Index(es):
- Date
- Thread