Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Fortra FileCatalyst Workflow Static HSQLDB Password

Critical

Synopsis

Fortra Catalyst Workflow contains a static HSQLDB password that can be used by a remote attacker to access the service with administrative access.

A vendor KB article at <https://support.fortra.com/filecatalyst/kb-articles/how-to-access-the-internal-filecatalyst-workflow-database-NjkzODJhMDctMjQwZC1lZDExLTgyZTUtMDAwZDNhNWE3ZDJj> walks through steps to access the internal FileCatalyst Workflow HSQLDB using a static password "GOSENSGO613" (without quotes).
 

The internal Workflow HSQLDB is remotely accessible on TCP port 4406 by default. An unauthenticated remote attacker can follow the same steps but using a remote JDBC URL (i.e., jdbc:hsqldb:hsql://<target-host>:4406/hsqldb) to access the internal HSQLDB. Once logged in to the HSQLDB, the attacker can perform malicious operations in the database. For example, the attacker can add an admin-level user in the DOCTERA_USERS table, allowing access to the Workflow web application as an admin user.


Note that on newer Workflow versions, the HSQLDB jar file may be named differently. For example, on Workflow 5.1.6 Build 139, hsqldb-2.7.1-jdk8.jar (instead of hsqldb.jar) is present.


The attacker can also use other tools to access the internal HSQLDB.


While we would generally consider this behavior to be documented and intended functionality, there are a couple of factors leading us to consider this a vulnerability as per current CVE guidelines (https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_4-1_Vulnerability_Determination):

  • The level of access provided by these default credentials poses significant risk
  • End users are unable to change this password by conventional means
  • The services binds to 0.0.0.0:4406 by default
  • Per https://filecatalyst.software/workflow.html, it would appear that HSQLDB support has been deprecated, but may still be in production use for older versions

Solution

Upgrade to FileCatalyst Workflow prior to 5.1.7 or later.

Disclosure Timeline

July 2, 2024 - Tenable discloses issue to Fortra.
July 2, 2024 - Fortra acknowledges report and request clarification of disclosure policy. Tenable provides clarification.
July 15, 2024 - Tenable requests status update from Fortra. Fortra provides status update and CVE identifier.
August 13, 2024 - Tenable requests status update from Fortra. Fortra provides status update. Tenable acknowledges.
August 22, 2024 - Fortra states that patch and advisory should be ready to go on August 27.
August 22, 2024 - Fortra requests attribution information.
August 23, 2024 - Tenable provides requested information.
August 26, 2024 - Tenable provides advisory draft to Fortra. Fortra provides references to their advisory.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2024-6633
Tenable Advisory ID: TRA-2024-35
CVSSv3 Base / Temporal Score:
9.8 / 8.8
CVSSv3 Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
FileCatalyst Workflow prior to 5.1.7
Risk Factor:
Critical

Advisory Timeline

August 27, 2024 - Initial release.