search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HR Systems Strategies info:HR HRIS allows read access to weakly obfuscated shared database password

Vulnerability Note VU#829574

Original Release Date: 2013-10-15 | Last Revised: 2013-10-16


HR Systems Strategies info:HR HRIS 7.9 and possibly earlier versions allow read access to a weakly obfuscated database password. This password is shared by all clients within an info:HR site. A local attacker can decipher the password and gain complete control of the database and application, including access to sensitive personally identifiable information (PII).


info:HR is "...a robust, general-purpose Human Resources Information System (HRIS)" that runs on the Microsoft Windows platform and uses Microsoft SQL Server. info:HR stores database credentials in a registry key that allows read access to any local user. The database password is weakly obfuscated with a static key and can be easily deciphered.

Aspects of this vulnerability include CWE-314: Cleartext Storage in the Registry, CWE-327: Use of a Broken or Risky Cryptographic Algorithm.


A local attacker can read and decipher the SQL database password, granting the attacker complete control over the database. The attacker can also read and decipher info:HR application passwords to gain administrative privileges in the application. info:HR systems are likely to contain sensitive personally identifiable information (PII).


Apply an Update
HR Systems Strategies has stated that they will be releasing a patch later this year to address this vulnerability. Customers with a current support contract will be notified upon release and will be provided instructions directly from HR Systems on where download the patch.

Please also consider the following workaround until the patch is released.

Restrict access to the USERPW registry key

Change the ACL on the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HR Systems\ODBC Setup\USERPW registry key to prevent unauthorized read access. Only allowing legitimate info:HR users to read the USERPW registry key will limit exposure. Legitimate users, however, will still be able to decipher the password and gain elevated privileges for the database.

Vendor Information


HR Systems Strategies Inc. Affected

Notified:  September 06, 2013 Updated: October 16, 2013



Vendor Statement

Personal data security is extremely important to our company and we work continually to improve our product line. 

In our release 8.0 product, available November 2013, we have made it significantly more complex to decrypt the password. The ODBC connection string in the registry file will be deleted and replaced with a new key with an encrypted string containing a number of different items. This new key would not be as easily identifiable and would contain items not associated with the application. The encryption key is created using an info:HR-created internal key that would be translated using the algorithm discussed in my previous email to create this registry key. The internal key is imbedded into the source code and is not stored anywhere in the application. Without knowledge of our internally-created key, the algorithm method used and the exact info:HR items contained in the string, decrypting the string would be very difficult. 

All current support customers will be notified via email when this release is ready to be downloaded. Additional queries can be directed to Jerry Rowland, Chief Technology Officer or Andy Staniewski, President.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 4.1 AV:L/AC:M/Au:S/C:P/I:P/A:P
Temporal 3.7 E:F/RL:W/RC:C
Environmental 1.1 CDP:L/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Chris Mayhew from Run Straight Consulting Ltd for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-5208
Date Public: 2013-10-14
Date First Published: 2013-10-15
Date Last Updated: 2013-10-16 13:56 UTC
Document Revision: 44

Sponsored by CISA.