Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Deltek Vision - Arbitrary SQL Execution Release Date: 2019-04-09 Application: Deltek Vision Versions: 7.x before 7.6 March 2019 CU (Cumulative Update) Severity: High Author: Robert Wessen
Vendor Status: Updates available, see vendor for information. CVE Candidate: CVE-2018-18251 Reference: https://www.vsecurity.com/download/advisories/2018-18251.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-----------------~ From Deltek's website : "Project-Based ERP for Professional Services Firms. Manage the complete project lifecycle and increase profitability." Vision 7.6 is run on IIS with MSSQL as a backend. It supplies a Microsoft "ClickOnce"  .NET 4.0 application to clients. This .NET client binary interacts with the IIS server and backend DB to allow customers to manage, bill and track service based projects. Vulnerability Overview ~--------------------~ In mid-September 2018 VSR identified an arbitrary SQL execution vulnerability in the Vision 7.6 system. This vulnerability permits the execution of any attacker supplied SQL statement though a custom RPC over HTTP protocol. The query is executed as a user with the role of db_owner allowing access to all data within the Deltek system. Other similar impacts may also be possible, as security is enforced on the client for multiple operations. Vulnerability Details ~-------------------~ The Vision system relies on the client binary to enforce security rules and integrity of SQL statements and other content being sent to the server. Client HTTP calls can be manipulated by one of several means to execute arbitrary SQL statements (similar to SQLi) and potentially have other impacts. To perform these attacks an authenticated session is first required. In some cases client calls are obfuscated by encryption, which can be bypassed due to hard-coded keys and an insecure key rotation protocol. Impacts may include remote code execution in some deployments; however, the vendor states that this cannot occur when the installation documentation is heeded. Versions Affected ~---------------~ The issue was originally discovered in version 7.6, although it likely exists in prior versions which use the same client server architecture. Vendor Response ~-------------~ The following timeline details Deltek's response to the reported issue: 2018-09-26 VSR contacted Deltek's application development team directly. 2018-09-26 Deltek replied and set up time for additional information to be provided. 2018-09-27 Intial vulnerability description communicated. 2018-10-01 Proposed build correcting issues provided to VSR, condition still exploitable. 2018-10-04 Additional conversations around potential mitigations/corrections. 2018-10-05 Additional conversations around potential mitigations/corrections. VSR agreed to 180 day disclosure due to a combination of impact level and required product architectual challenges. 2018-10-11 CVE reserved, Deltek provided with all technical details, PoC code and draft advisory. 2019-01-29 New build with aditional protections provided to VSR. 2019-02-12 New build tested, remains exploitable, although exploitation is harder due to additional obfuscation and new RPC integrity checks in place. 2019-04-09 Public advisory release. Recommendation ~------------~ Upgrade Vision installs to the latest version of Deltek Vision software as soon as possible. [7.6 March 2019 CU (Cumulative Update) or later] In addition to updates, Deltek recommends: 1) Ensuring the installation is deployed to only use HTTPS. 2) Confirming that "encrypted requests" are enabled in web.config as demonstrated below. ...Common Vulnerabilities and Exposures (CVE) Information ~----------------------------------------------------~ The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2018-18251 to this issue. This is a candidate for inclusion in the CVE list (https://cve.mitre.org), which standardizes names for security problems. Acknowledgments ~--------------~ Deltek's development and security teams were quick to reply and eager to communicate regarding the issue. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= References: 1. https://www.deltek.com/en/products/project-erp/vision 2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18251 3. https://msdn.microsoft.com/en-us/library/ms996413.aspx =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. See the VSR disclosure policy for more information on our responsible disclosure practices: https://www.vsecurity.com/company/disclosure =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 2018 Virtual Security Research, LLC. All rights reserved. ...
Editor's note: This work was originally published by VSR on their website at https://www.vsecurity.com/resources/advisories.html. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com. The advisory text as above has been copy-pasted to this blog for historical reference.