search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Artiva Agency Single Sign-On (SSO) feature vulnerability

Vulnerability Note VU#215284

Original Release Date: 2014-04-14 | Last Revised: 2014-04-14

Overview

Artiva Agency Single Sign-On (SSO) feature checks only the local Windows login name which could allow an attacker to impersonate another Artiva Agency user.

Description

Artiva Agency Single Sign-On (SSO) feature when configured with the domain name option allows the currently logged on Windows user to automatically be logged into the Artiva Agency application using the same username without any additional authentication. Artiva Agency Single Sign-On (SSO) checks only the local Window login name and as a result does not take into consideration the associated user's domain name. By creating a local Windows user account with the same username as a Windows domain account, Artiva Agency will allow the attacker to login as the domain account to the Artiva Agency application.

Impact

An unauthenticated Artiva Agency user can create a local Windows user account with the same username as a Windows domain account and Artiva Agency will allow the attacker to login as the domain account to the Artiva Agency application.

Solution

Update

The vendor has released an update to address this vulnerability. Affected users are advised to update to Artiva Workstation 1.3.9 or later. The vendor has stated that additional setup work in the Artiva application is required.

Vendor Information

It has been reported to us that this vulnerability affects the following Artiva line products and versions:

    Artiva Rm 3.1 MR7 or newer
    Artiva Healthcare 5.2 MR5 or newer
    Artiva Architect 3.2 MR5 or newer
    Workstation 1.3.0 or newer

215284
 
Affected   Unknown   Unaffected

Ontario Systems

Notified:  January 23, 2014 Updated:  January 23, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References


    CVSS Metrics

    Group Score Vector
    Base 1.5 AV:L/AC:M/Au:S/C:P/I:N/A:N
    Temporal 1.2 E:F/RL:OF/RC:C
    Environmental 0.5 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

    References

    Acknowledgements

    Thanks to the reporter that wishes to remain anonymous.

    This document was written by Michael Orlando.

    Other Information

    CVE IDs: CVE-2014-0348
    Date Public: 2014-04-01
    Date First Published: 2014-04-14
    Date Last Updated: 2014-04-14 14:17 UTC
    Document Revision: 12

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.