| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 05 Sep 2020 15:09:24 +0000 From: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Hyland OnBase 19.x and below - DLL Hijacking CVSSv3.1 Score ------------------------------------------------- AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Vendor ------------------------------------------------- Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/) Product ------------------------------------------------- Hyland OnBase All derivatives based on OnBase Versions Affected ------------------------------------------------- All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland's response indicates that they are not likely to have fixed the vulnerabilities. Credit ------------------------------------------------- Adaptive Security Consulting Vulnerability Summary ------------------------------------------------- Hyland OnBase's clients and server are vulnerable to DLL hijacking. Technical Details ------------------------------------------------- The Hyland OnBase web client, Unity Client, and server are vulnerable to DLL hijacking. While some DLLs are signed, the signatures aren't validated during runtime allowing attackers to modify, replace, or even insert DLLs into the installation folder. OnBase will then dynamically load all DLLs including any newly created ones. This vulnerability can be coupled with any of the path traversal vulnerabilities to remotely upload malicious DLLs to the OnBase server. Attackers may exploit this to bypass OnBase security, plant backdoors, or escalate privileges. Solution ------------------------------------------------- Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" and no known fix is in place. Timeline ------------------------------------------------- 07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and search applications being considered by our client 15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and critical vulnerabilities 12 July 2019 - Client asked for more information and demonstrations 01 October 2019 - Client asked to test latest version of Hyland software 15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code" 21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on behalf of client, but attempts were ignored _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists