Headline
CVE-2020-25248: Full Disclosure: Hyland OnBase 19.x and below
An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Directory traversal exists for reading files, as demonstrated by the FileName parameter.
Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev
Full Disclosure mailing list archives****Hyland OnBase 19.x and below - Path Traversal
From: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure () seclists org>
Date: Sat, 05 Sep 2020 16:01:38 +0000
CVSSv3.1 Score
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vendor
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)
Product
Hyland OnBase All derivatives based on OnBase
Versions Affected
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland’s response indicates that they are not likely to have fixed the vulnerabilities.
Credit
Adaptive Security Consulting
Vulnerability Summary
The Hyland OnBase server is vulnerable to path traversal allowing attackers to read and write to arbitrary files on the server.
Technical Details
The Hyland OnBase server fails to properly sanitize and escape user input allowing path traversal on the OnBase server. Multiple methods were found that directly concatinate user input into local file system calls without validation. Two separate types exist, read-only and write or append-only, allowing remote attackers who send SOAP calls directly to vulnerable methods using vulnerable parameters (typically “FileName”).
Seven read-only instances and twelve write or append-only instances were found allowing the attacker to read configuration data and arbitrary files across the server and append, create, and write to arbitrary files on the server, including uploading malicious DLLs and backdoors.
Solution
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they have to fix since fixing vulnerabilities, according to the Director of Application Security, is “creating custom code” and no known fix is in place. Run the Hyland OnBase server in a restricted environment under a service account that can only access those files required to operate. Restrict the ability of the service account to write to files to the greatest extent possible.
Timeline
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and search applications being considered by our client 15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and critical vulnerabilities 12 July 2019 - Client asked for more information and demonstrations 01 October 2019 - Client asked to test latest version of Hyland software 15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing vulnerabilities was “writing custom code” and that Hyland “doesn’t write custom code” 21 April 2020 - Adaptive Security Consulting attempted to contact Hyland’s Application Security Team via email on behalf of client, but attempts were ignored
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Hyland OnBase 19.x and below - Path Traversal AdaptiveSecurity Consulting via Fulldisclosure (Sep 07)