“ThingWorx is more than an IoT platform; it provides the functionality, flexibility and scalability that businesses need to drive industrial innovation─including the ability to source, contextualize and synthesize data while orchestrating processes and delivering powerful web, mobile and AR experiences.”
ThingWorx allows to configure Things to communicate with other services over several protocols (e.g. LDAP integration via a DirectoryServices Thing). In order to communicate with services that require authentification, ThingWorx provides functionality to associate credentials to a Thing.
During a brief audit it was noticed that ThingWorx Composer leaks the following sensitive data:
- The PBKDF2WithHmac512 password hash of a user Thing
- The AES encrypted password of several Things containing password attributes
Furthermore, the password used for encryption is hard-coded and thus identical along all installations.
Besides the above mentioned vulnerabilities a reflected cross-site scripting vulnerability was identified in the ThingWorx SQUEAL search function.
The vendor provides a patch which should be installed immediately. It is recommended to perform further thorough security audits as the product may be affected by other potential security vulnerabilities.
Vulnerability Overview / Description
1) Disclosure of User Password Hashes to Privileged Users (CVE-2018-17216)
ThingWorx discloses the PBKDF2WithHmac512 hashed passwords of its application users when doing exports with an administrative account. This enables an attacker to conduct offline brute-force or dictionary attacks against the obtained password hashes.
2) Disclosure of Encrypted Credentials and Use of Hard-Coded Passwords (CVE-2018-17217)
A critical information disclosure vulnerability leaks the AES encrypted passwords of services configured within ThingWorx. Due to a hard-coded master password in the SecureData class, an attacker is able to decrypt the obtained passwords which grants him access to other services. The AES encrypted password gets disclosed in the server response when a user/attacker visits a Thing that contains credentials.
3) Reflected Cross-Site Scripting (CVE-2018-17218)
Proof Of Concept
The proof of concept has been removed from this advisory.
Vulnerable / Tested Versions
The vulnerabilities have been verified to exist in version 8.0.1-b39 which was the latest version available at the time of the test. The vendor provided further affected version information. See the Solution section for reference.