what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Hyland OnBase Hardcoded Secrets

Hyland OnBase Hardcoded Secrets
Posted Sep 8, 2020
Authored by Adaptive Security Consulting

All versions up to and prior to Hyland OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32) suffer from having hardcoded PKI certificates and AES key material.

tags | advisory
SHA-256 | bc727c3205ab555062293ad759e22da0cf8f20c066816e52a61482e53fa247cf

Hyland OnBase Hardcoded Secrets

Change Mirror Download
CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland's response indicates that they are not likely to have fixed the vulnerabilities.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
Hyland OnBase contains a number of hardcoded key materials, such as constant, hardcoded AES CBC initialization vectors and hardcoded PKI certificates.

Technical Details
-------------------------------------------------
Decompilation of the OnBase binaries found several hardcoded PKI certificates and AES CBC IVs. The AES CBC IVs were often set to an array of 0s and completely constant across all messages. Attackers can use these hardcoded certificates, which included the pubic and private keys, to encrypt and decrypt data. The use of hardcoded, non-changing CBC IV makes it easier for an attacker to decrypt the ciphertext.

The IVs examined did not appear to change with the version of OnBase. Some certificates changed between the two versions examined. The binaries did not indicate that the keys or certificates varied from installation-to-installation.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" and no known fix is in place.

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and
critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on behalf of client, but attempts were ignored


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close