{"vuid":"VU#829574","idnumber":"829574","name":"HR Systems Strategies info:HR HRIS allows read access to weakly obfuscated shared database password","keywords":["HR Systems Strategies","Info:HR","password disclosure","information leakage","registry","SQL","cryptography","CWE-314","CWE-327"],"overview":"HR Systems Strategies info:HR HRIS 7.9 and possibly earlier versions allow read access to a weakly obfuscated database password. This password is shared by all clients within an info:HR site. A local attacker can decipher the password and gain complete control of the database and application, including access to sensitive personally identifiable information (PII).","clean_desc":"info:HR is \"...a robust, general-purpose Human Resources Information System (HRIS)\" that runs on the Microsoft Windows platform and uses Microsoft SQL Server. info:HR stores database credentials in a registry key that allows read access to any local user. The database password is weakly obfuscated with a static key and can be easily deciphered. Aspects of this vulnerability include CWE-314: Cleartext Storage in the Registry, CWE-327: Use of a Broken or Risky Cryptographic Algorithm.","impact":"A local attacker can read and decipher the SQL database password, granting the attacker complete control over the database. The attacker can also read and decipher info:HR application passwords to gain administrative privileges in the application. info:HR systems are likely to contain sensitive personally identifiable information (PII).","resolution":"Apply an Update\nHR Systems Strategies has stated that they will be releasing a patch later this year to address this vulnerability. Customers with a current support contract will be notified upon release and will be provided instructions directly from HR Systems on where download the patch. Please also consider the following workaround until the patch is released.","workarounds":"Restrict access to the USERPW registry key Change the ACL on the HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\HR Systems\\ODBC Setup\\USERPW registry key to prevent unauthorized read access. Only allowing legitimate info:HR users to read the USERPW registry key will limit exposure. Legitimate users, however, will still be able to decipher the password and gain elevated privileges for the database.","sysaffected":"","thanks":"Thanks to \nChris Mayhew from Run Straight Consulting Ltd for reporting this vulnerability.","author":"This document was written by Adam Rauf.","public":["http://cwe.mitre.org/data/definitions/314.html","http://cwe.mitre.org/data/definitions/327.html","http://infohr.net/"],"cveids":["CVE-2013-5208"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-08-21T18:56:31Z","publicdate":"2013-10-14T00:00:00Z","datefirstpublished":"2013-10-15T14:23:21Z","dateupdated":"2013-10-16T13:56:41Z","revision":44,"vrda_d1_directreport":"1","vrda_d1_population":"1","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"L","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"L","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"4.1","cvss_basevector":"AV:L/AC:M/Au:S/C:P/I:P/A:P","cvss_temporalscore":"3.7","cvss_environmentalscore":"1.1","cvss_environmentalvector":"CDP:L/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}