CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)
Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase
Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBaseFoundation EP2 and OnBaseFoundation EP3 were not available to test, but Hyland's response indicates that they are not likely to have fixed the vulnerability.
Credit
-------------------------------------------------
Adaptive Security Consulting
Vulnerability Summary
-------------------------------------------------
Because Hyland OnBase largely relies on the client-side to log failures, most malicious attacks are not logged and attacks by malicious users who are using clients such as the Unity Client can simply drop the "log" request that is sent to the server. Additionally, client-side logging is virtually non-existent and server-side logging is almost exclusively of errors.
Technical Details
-------------------------------------------------
The OnBase system is improperly designed so that the client is responsible for specifically calling server-side logging mechanisms for a log entry to be written, allowing attackers to perform actions directly without the action being logged or to simply drop the client's log query, which is separate from the action query. Additionally, attackers are able to write arbitrary data to the server logs, including logging fake/spoofed attacks and denial of service attacks that bombard the logging mechanism with data.
For example, according to Hyland's website, OnBase is heavily used in the government, medical, and financial sectors, where detailed logging of events, such as a user accessing a medical record, are required by law. If an attacker or malicious user performs an action, the requested action is sent to the OnBase server, where it is performed. The server then responds, after which the client issues a request to log the now completed action.
In this example, a malicious user wants to see the medical record of a neighbor, but doesn't want the supervisor to know that this data is being looked at. The user tells the Unity client to open the record. The Unity client tells the server to retrieve the data. The server retrieves the data and then sends it to the Unity client. The Unity client displays the data and, as it is doing so, sends a request to the OnBase server to log that the data is now being viewed by the user. If the user simply drops this packet (it is a SOAP request and is easily dropped), the Unity client never knows, but more importantly, that the user is viewing the data is never logged anywhere. This architecture is pervasive across OnBase and the complete lack of logging on the client-side, as well as proper server-side logging (the server, upon receiving the request to retrieve the record should be logging the action), enables attackers, both authorized and unauthorized, to hide their malicious activities bo
th by simply "deleting" log entries (by dropping the log request) and by creating fake entries to either make it seem like someone else is performing the attack or to cause "log blindness" that hides the real malicious activity.
Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" and no known fix is in place. It is recommended that users try to mitigate the vulnerability by ensuring that the OnBase server is inaccessible to anyone other than trusted users. No other mitigations are currently available.
Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on behalf of client, but attempts were ignored