[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Hyland OnBase 19.x and below - Hardcoded PKI Certificates And AES Key Material
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Hyland OnBase 19.x and below - Hardcoded PKI Certificates And AES Key Material
- From: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Sat, 05 Sep 2020 11:24:45 +0000
CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)
Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase
Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and
OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3
were not available to test, but Hyland's response indicates that they are not
likely to have fixed the vulnerabilities.
Credit
-------------------------------------------------
Adaptive Security Consulting
Vulnerability Summary
-------------------------------------------------
Hyland OnBase contains a number of hardcoded key materials, such as constant,
hardcoded AES CBC initialization vectors and hardcoded PKI certificates.
Technical Details
-------------------------------------------------
Decompilation of the OnBase binaries found several hardcoded PKI certificates
and AES CBC IVs. The AES CBC IVs were often set to an array of 0s and
completely constant across all messages. Attackers can use these hardcoded
certificates, which included the pubic and private keys, to encrypt and decrypt
data. The use of hardcoded, non-changing CBC IV makes it easier for an attacker
to decrypt the ciphertext.
The IVs examined did not appear to change with the version of OnBase. Some
certificates changed between the two versions examined. The binaries did not
indicate that the keys or certificates varied from installation-to-installation.
Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been
rebuffed as not being something that they have to fix since fixing
vulnerabilities, according to the Director of Application Security, is
"creating custom code" and no known fix is in place.
Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of
vulnerabilities in medical records management and
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment,
including POCs for a number of high and
critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same
vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application
Security who said that fixing vulnerabilities was "writing custom code" and
that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's
Application Security Team via email on behalf of client, but attempts were
ignored
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/