Hyland OnBase 19.x and below - Data Import Denial Of Service

[AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure () seclists org>]

CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). 
OnBaseFoundation EP2 and OnBaseFoundation EP3 were not available to test, but Hyland's response indicates that they are 
not likely to have fixed the vulnerability.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
Several of Hyland OnBase's data import utilities are vulnerable to denial of service attacks if the data being imported 
is unexpected or malformed.

Technical Details
-------------------------------------------------
Hyland OnBase allows several different ways to import data, such as COLD and DIP. These import processes can be run 
manually or on a schedule and read files from a specific folder. Because they do not perform any validation on the 
files before attempting to process them they are prone to crashing when files do not meet expectations. When the import 
crashes, no other files are processed allowing attackers to create a denial of service on an unmonitored, scheduled 
import routine preventing the importing of any new data or limiting what data is imported. Attackers can also use the 
import process to import bad data that bypasses security checks and then either attacks the clients or has the client 
attack the server on its behalf.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they 
have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" 
and no known fix is in place. It is recommended that users try to mitigate the vulnerability by validating files being 
imported before they are imported to make certain that they will not crash the importer. Access to the import folders 
and import scripts should also be limited to trusted personnel and trusted data only. No other mitigations are 
currently available.

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and 
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and 
critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing 
vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on 
behalf of client, but attempts were ignored

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/