Vulnerability Note VU#829574

HR Systems Strategies info:HR HRIS allows read access to weakly obfuscated shared database password

Original Release date: 15 Oct 2013 | Last revised: 16 Oct 2013

Overview

HR Systems Strategies info:HR HRIS 7.9 and possibly earlier versions allow read access to a weakly obfuscated database password. This password is shared by all clients within an info:HR site. A local attacker can decipher the password and gain complete control of the database and application, including access to sensitive personally identifiable information (PII).

Description

info:HR is "...a robust, general-purpose Human Resources Information System (HRIS)" that runs on the Microsoft Windows platform and uses Microsoft SQL Server. info:HR stores database credentials in a registry key that allows read access to any local user. The database password is weakly obfuscated with a static key and can be easily deciphered.

Aspects of this vulnerability include CWE-314: Cleartext Storage in the Registry, CWE-327: Use of a Broken or Risky Cryptographic Algorithm.

Impact

A local attacker can read and decipher the SQL database password, granting the attacker complete control over the database. The attacker can also read and decipher info:HR application passwords to gain administrative privileges in the application. info:HR systems are likely to contain sensitive personally identifiable information (PII).

Solution

Apply an Update
HR Systems Strategies has stated that they will be releasing a patch later this year to address this vulnerability. Customers with a current support contract will be notified upon release and will be provided instructions directly from HR Systems on where download the patch.

Please also consider the following workaround until the patch is released.

Restrict access to the USERPW registry key

Change the ACL on the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HR Systems\ODBC Setup\USERPW registry key to prevent unauthorized read access. Only allowing legitimate info:HR users to read the USERPW registry key will limit exposure. Legitimate users, however, will still be able to decipher the password and gain elevated privileges for the database.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
HR Systems Strategies Inc.Affected06 Sep 201316 Oct 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.1 AV:L/AC:M/Au:S/C:P/I:P/A:P
Temporal 3.7 E:F/RL:W/RC:C
Environmental 1.1 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Chris Mayhew from Run Straight Consulting Ltd for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

  • CVE IDs: CVE-2013-5208
  • Date Public: 14 Oct 2013
  • Date First Published: 15 Oct 2013
  • Date Last Updated: 16 Oct 2013
  • Document Revision: 42

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.