MATESO GmbH Password Safe And Repository Enterprise 7.4.4 Build 2247 Credential Management

2017-04-11T00:00:00
ID PACKETSTORM:142092
Type packetstorm
Reporter Matthias Deeg
Modified 2017-04-11T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-036  
Product(s): Password Safe and Repository Enterprise  
Manufacturer: MATESO GmbH  
Affected Version(s): 7.4.4 Build 2247  
Tested Version(s): 7.4.4 Build 2247  
Vulnerability Type: Credentials Management (CWE-255)  
Violation of Secure Design Principles (CWE-657)  
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2015-07-09  
Solution Date: 2016-10-18  
Public Disclosure: 2017-04-10  
CVE Reference: Not yet assigned  
Author of Advisory: Matthias Deeg (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Password Safe and Repository Enterprise is a password management  
software for companies with many features.  
  
The vendor MATESO GmbH describes the product as follows (see [1]):  
  
"Manage your passwords in the company according to your security needs!  
Features such as password policies, multi-eyes principle, workflow and  
task system makes management productive and safe.  
  
The integrated rights management system with data transfer option and  
automatic synchronization with Active Directory ensures that your  
employees can only access data which they are entitled to."  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
SySS GmbH found out that synchronized databases (offline databases)  
created by a specific user also contain sensitive data of other users,  
for example login credentials.  
  
The password information of other users are stored as raw, unsalted MD5  
hash values in the database table tdUsers (see SYSS-2015-037).  
  
Thus, by having access to an offline database, it is possible to access  
password information of other users, for example the MD5 password hash  
of the built-in administrator account. This password information may be  
recovered during password guessing attacks and used for accessing  
foreign user data in an unauthorized way or for performing privilege  
escalation attacks in the online mode.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
In the offline mode of the password management software Password Safe  
and Repository, it is possible to manipulate SQL statements due to  
the violation of secure design principles and SQL injection  
vulnerabilities (see SYSS-2015-035).  
  
By using the following SQL statement, user information of all users  
unnecessarily stored in the database table tdUsers can be retrieved from  
an offline database and extracted from memory of the password management  
software, for example by using a modified client software:  
  
SELECT * FROM tdUsers  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The MATESO GmbH released the new software version Password Safe and  
Repository Enterprise 8 that is not affected by the described security  
issues.  
  
Please contact the manufacturer for further information or support.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-07-09: Vulnerability reported to manufacturer  
2015-07-09: Manufacturer acknowledges e-mail with SySS security advisory  
  
2015-07-30: Scheduling of the publication date in agreement with the  
manufacturer  
2015-10-02: Rescheduling of the publication date in agreement with the  
manufacturer  
2016-10-18: Manufacturer presents new software version with fixed  
security issues  
2017-04-10: Public release of security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for Password Safe and Repository Enterprise  
http://www.passwordsafe.de/en/products/business/enterprise-edition.html  
[2] SySS Security Advisory SYSS-2015-036  
  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-036.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Matthias Deeg of SySS GmbH.  
  
E-Mail: matthias.deeg (at) syss.de  
Public Key:  
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc  
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAljrOqMACgkQ2aS/ajSt  
TatHHhAAocjsf2GB/VxbrW7rZrlgh3EmMNIhiPJCwZRKjJaZNyYBS2GeGyh8jLiw  
ZZ2u/u8UKX29Ejl8HXeQXJevF0g3planpLCzRHD4YLmIyckhSVPDe7YwjuAegdNm  
0IFaQbsW8ai9ItZ44IOi2S2Zra4pXZKGWIkan6Y11cmDJry7BT2JYXEeHDE2ff+B  
niOIHg3m0fhiHV5kial5jz1Ve7497RpQ6r2PtT/8e9MlWIJHIiQujGsXRils+pai  
F99InZdaAjxwyyp36G3u4d0FBdxhBRsDA/53bFXh22kSHWVBtlFLGB3qe0BnViz9  
flXr/TCnb6BZ9CQ1+p0nk6n9YXANU9UVUZiRhLcRdwgIo8GxIJL5wzo9IIjWmIcW  
xIO1SLxiWR6TM+778C59XjplWjgmqkWiBhr6g45YAEbzeRj6yI2Bgu575jilzypI  
eJ8Sl9NcVz8qH5hhmHEvBFohJGSXO2rQS2rTebzPChg/CXZk3I39RF5btSqSveny  
UDZmDYWFJqV3/jpE7I1xOqymJovVCPOX4QoQAFQRlfK7sx0Ho6njWhKVdfuJf6pK  
LgrDaQSxkRd8rf9DtdU39zfPH1Gge2OO578q5ht7jvoa5eeTXLmbIXdSWDc1oeBb  
DjHm9tCikNldv5kgt9JDf//2AF+LIwZRi1BpjawQjfkdJg1F8YU=  
=3S2g  
-----END PGP SIGNATURE-----  
  
  
`