exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hyland OnBase Insufficient Logging

Hyland OnBase Insufficient Logging
Posted Sep 3, 2020
Authored by Adaptive Security Consulting

All versions up to and prior to Hyland OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32) suffer from an insufficient logging vulnerability due to client-side enforcement.

tags | advisory
SHA-256 | e2e4ea911a0df0f9d26138b96ced126c65fbab9a191f866f72aaa2ebe7f277f3

Hyland OnBase Insufficient Logging

Change Mirror Download
CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBaseFoundation EP2 and OnBaseFoundation EP3 were not available to test, but Hyland's response indicates that they are not likely to have fixed the vulnerability.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
Because Hyland OnBase largely relies on the client-side to log failures, most malicious attacks are not logged and attacks by malicious users who are using clients such as the Unity Client can simply drop the "log" request that is sent to the server. Additionally, client-side logging is virtually non-existent and server-side logging is almost exclusively of errors.

Technical Details
-------------------------------------------------
The OnBase system is improperly designed so that the client is responsible for specifically calling server-side logging mechanisms for a log entry to be written, allowing attackers to perform actions directly without the action being logged or to simply drop the client's log query, which is separate from the action query. Additionally, attackers are able to write arbitrary data to the server logs, including logging fake/spoofed attacks and denial of service attacks that bombard the logging mechanism with data.

For example, according to Hyland's website, OnBase is heavily used in the government, medical, and financial sectors, where detailed logging of events, such as a user accessing a medical record, are required by law. If an attacker or malicious user performs an action, the requested action is sent to the OnBase server, where it is performed. The server then responds, after which the client issues a request to log the now completed action.

In this example, a malicious user wants to see the medical record of a neighbor, but doesn't want the supervisor to know that this data is being looked at. The user tells the Unity client to open the record. The Unity client tells the server to retrieve the data. The server retrieves the data and then sends it to the Unity client. The Unity client displays the data and, as it is doing so, sends a request to the OnBase server to log that the data is now being viewed by the user. If the user simply drops this packet (it is a SOAP request and is easily dropped), the Unity client never knows, but more importantly, that the user is viewing the data is never logged anywhere. This architecture is pervasive across OnBase and the complete lack of logging on the client-side, as well as proper server-side logging (the server, upon receiving the request to retrieve the record should be logging the action), enables attackers, both authorized and unauthorized, to hide their malicious activities bo
th by simply "deleting" log entries (by dropping the log request) and by creating fake entries to either make it seem like someone else is performing the attack or to cause "log blindness" that hides the real malicious activity.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" and no known fix is in place. It is recommended that users try to mitigate the vulnerability by ensuring that the OnBase server is inaccessible to anyone other than trusted users. No other mitigations are currently available.

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on behalf of client, but attempts were ignored


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close