CVE-2020-25251: Full Disclosure: Hyland OnBase 19.x and below

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

Full Disclosure mailing list archives****Hyland OnBase 19.x and below - Insufficient Authorization (Client-Side Enforcement of Server-Side Security)

From: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure () seclists org>
Date: Sat, 05 Sep 2020 10:09:54 +0000

CVSSv3.1 Score

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vendor

Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product

Hyland OnBase All derivatives based on OnBase

Versions Affected

All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland’s response indicates that they are not likely to have fixed the vulnerabilities, especially given how numerous the instances of authorization bypass are.

Credit

Adaptive Security Consulting

Vulnerability Summary

Because Hyland OnBase largely relies on client-side validation, the server-side contains a number of critical authorization bypass vulnerabilities, allowing both unauthenticated and underprivileged users access to administrative and non-administrative actions. All users are able to read and write to arbitrary medical record without proper permission, unauthenticated users including those who are not authenticated can leverage administrative functions to read or modify the server’s configuration, and any user can get the list of administrators and even modify their own permissions. All versions of OnBase were found to be equally vulnerable.

Technical Details

OnBase’s reliance on client-side validation means that most server-side methods fail to properly check a user’s authorization before allowing them access to the functionality. By directly accessing the server attackers can bypass client-side authorization, executing almost any action. In some cases, the OnBase server appears to check the user’s authorization after performing the action or carries out the action even though it has verified that the user does not have the appropriate permissions. In other instances, the OnBase server fails to even verify that the user is authenticated. Administrative functionality, such as getting the list of all users, getting all user data, adding users, removing users, and modifying permissions are all accessable by unauthorized users through direct calls to the OnBase server. Server administrative functions also fail to properly validate a user’s credentials, allowing both unauthorized and unauthenticated users to reconfigure the SQL server that OnBase uses, grab the list of all configured DCNs, add custom filters, and other actions. Unauthorized users could even access medical record information or patient data by directly querying the OnBase server.

Solution

Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they have to fix since fixing vulnerabilities, according to the Director of Application Security, is “creating custom code” and no known fix is in place. It is recommended that users try to mitigate the vulnerability by ensuring that the OnBase server is inaccessible to anyone other than trusted users.

Timeline

07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and search applications being considered by our client 15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and critical vulnerabilities 12 July 2019 - Client asked for more information and demonstrations 01 October 2019 - Client asked to test latest version of Hyland software 15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing vulnerabilities was “writing custom code” and that Hyland “doesn’t write custom code” 21 April 2020 - Adaptive Security Consulting attempted to contact Hyland’s Application Security Team via email on behalf of client, but attempts were ignored

_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

• Hyland OnBase 19.x and below - Insufficient Authorization (Client-Side Enforcement of Server-Side Security) AdaptiveSecurity Consulting via Fulldisclosure (Sep 07)