Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Deltek Vision - Arbitrary SQL Execution
Release Date: 2019-04-09
Application: Deltek Vision
Versions: 7.x before 7.6 March 2019 CU (Cumulative Update)
Severity: High
Author: Robert Wessen
Vendor Status: Updates available, see vendor for information.
CVE Candidate: CVE-2018-18251
Reference: https://www.vsecurity.com/download/advisories/2018-18251.txt
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Product Description
~-----------------~
From Deltek's website [1]: "Project-Based ERP for Professional Services Firms.
Manage the complete project lifecycle and increase profitability."
Vision 7.6 is run on IIS with MSSQL as a backend. It supplies a Microsoft
"ClickOnce" [3] .NET 4.0 application to clients. This .NET client binary
interacts with the IIS server and backend DB to allow customers to manage,
bill and track service based projects.
Vulnerability Overview
~--------------------~
In mid-September 2018 VSR identified an arbitrary SQL execution vulnerability in
the Vision 7.6 system. This vulnerability permits the execution of any attacker
supplied SQL statement though a custom RPC over HTTP protocol. The query is
executed as a user with the role of db_owner allowing access to all data within
the Deltek system. Other similar impacts may also be possible, as security is
enforced on the client for multiple operations.
Vulnerability Details
~-------------------~
The Vision system relies on the client binary to enforce security rules and
integrity of SQL statements and other content being sent to the server. Client
HTTP calls can be manipulated by one of several means to execute arbitrary SQL
statements (similar to SQLi) and potentially have other impacts. To perform
these attacks an authenticated session is first required. In some cases client
calls are obfuscated by encryption, which can be bypassed due to hard-coded keys
and an insecure key rotation protocol.
Impacts may include remote code execution in some deployments; however, the
vendor states that this cannot occur when the installation documentation is
heeded.
Versions Affected
~---------------~
The issue was originally discovered in version 7.6, although it likely
exists in prior versions which use the same client server architecture.
Vendor Response
~-------------~
The following timeline details Deltek's response to the reported issue:
2018-09-26 VSR contacted Deltek's application development team directly.
2018-09-26 Deltek replied and set up time for additional information to be
provided.
2018-09-27 Intial vulnerability description communicated.
2018-10-01 Proposed build correcting issues provided to VSR, condition still
exploitable.
2018-10-04 Additional conversations around potential mitigations/corrections.
2018-10-05 Additional conversations around potential mitigations/corrections.
VSR agreed to 180 day disclosure due to a combination of impact
level and required product architectual challenges.
2018-10-11 CVE reserved, Deltek provided with all technical details, PoC code
and draft advisory.
2019-01-29 New build with aditional protections provided to VSR.
2019-02-12 New build tested, remains exploitable, although exploitation is
harder due to additional obfuscation and new RPC integrity checks
in place.
2019-04-09 Public advisory release.
Recommendation
~------------~
Upgrade Vision installs to the latest version of Deltek Vision software as soon
as possible. [7.6 March 2019 CU (Cumulative Update) or later]
In addition to updates, Deltek recommends:
1) Ensuring the installation is deployed to only use HTTPS.
2) Confirming that "encrypted requests" are enabled in web.config as demonstrated
below.
...
Common Vulnerabilities and Exposures (CVE) Information
~----------------------------------------------------~
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2018-18251 to this issue. This is a candidate for
inclusion in the CVE list (https://cve.mitre.org), which standardizes
names for security problems.
Acknowledgments
~--------------~
Deltek's development and security teams were quick to reply and eager
to communicate regarding the issue.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
References:
1. https://www.deltek.com/en/products/project-erp/vision
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18251
3. https://msdn.microsoft.com/en-us/library/ms996413.aspx
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Neither Virtual Security Research, LLC nor
the author accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.
See the VSR disclosure policy for more information on our responsible
disclosure practices:
https://www.vsecurity.com/company/disclosure
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copyright 2018 Virtual Security Research, LLC. All rights reserved.
To view the advisory as a txt. click here.
Editor’s note: This work was originally published by VSR on their website at https://www.vsecurity.com/resources/advisories.html. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com. The advisory text as above has been copy-pasted to this blog for historical reference.
