Executive Summary

Summary
Title HR Systems Strategies info
Informations
Name VU#829574 First vendor Publication 2013-10-15
Vendor VU-CERT Last vendor Modification 2013-10-16
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:S/C:P/I:P/A:P)
Cvss Base Score 4.1 Attack Range Local
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 2.7 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#829574

HR Systems Strategies info:HR HRIS allows read access to weakly obfuscated shared database password

Original Release date: 15 Oct 2013 | Last revised: 16 Oct 2013

Overview

HR Systems Strategies info:HR HRIS 7.9 and possibly earlier versions allow read access to a weakly obfuscated database password. This password is shared by all clients within an info:HR site. A local attacker can decipher the password and gain complete control of the database and application, including access to sensitive personally identifiable information (PII).

Description

info:HR is "...a robust, general-purpose Human Resources Information System (HRIS)" that runs on the Microsoft Windows platform and uses Microsoft SQL Server. info:HR stores database credentials in a registry key that allows read access to any local user. The database password is weakly obfuscated with a static key and can be easily deciphered.

Aspects of this vulnerability include CWE-314: Cleartext Storage in the Registry, CWE-327: Use of a Broken or Risky Cryptographic Algorithm.

Impact

A local attacker can read and decipher the SQL database password, granting the attacker complete control over the database. The attacker can also read and decipher info:HR application passwords to gain administrative privileges in the application. info:HR systems are likely to contain sensitive personally identifiable information (PII).

Solution

Apply an Update
HR Systems Strategies has stated that they will be releasing a patch later this year to address this vulnerability. Customers with a current support contract will be notified upon release and will be provided instructions directly from HR Systems on where download the patch.

Please also consider the following workaround until the patch is released.

Restrict access to the USERPW registry key

Change the ACL on the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HR Systems\ODBC Setup\USERPW registry key to prevent unauthorized read access. Only allowing legitimate info:HR users to read the USERPW registry key will limit exposure. Legitimate users, however, will still be able to decipher the password and gain elevated privileges for the database.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
HR Systems Strategies Inc.Affected06 Sep 201316 Oct 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base4.1AV:L/AC:M/Au:S/C:P/I:P/A:P
Temporal3.7E:F/RL:W/RC:C
Environmental1.1CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://cwe.mitre.org/data/definitions/314.html
  • http://cwe.mitre.org/data/definitions/327.html
  • http://infohr.net/

Credit

Thanks to Chris Mayhew from Run Straight Consulting Ltd for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

  • CVE IDs:CVE-2013-5208
  • Date Public:14 Oct 2013
  • Date First Published:15 Oct 2013
  • Date Last Updated:16 Oct 2013
  • Document Revision:42

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/829574

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2013-10-16 21:26:31
  • Multiple Updates
2013-10-16 17:25:40
  • Multiple Updates
2013-10-16 17:20:18
  • Multiple Updates
2013-10-15 17:18:37
  • First insertion