X41 D-SEC GmbH Security Advisory: X41-2019-007
Severity Rating: High
Confirmed Affected Versions: GeDoWin Geburt since version 2012.2
Confirmed Patched Versions: GeDoWin Geburt 2020.2 SP1, GeDoWin Geburt 2020.2
Vendor: Saatmann GmbH & Co. KG
Vendor URL: https://www.saatmann.de
Vendor Reference: https://www.saatmann.de/Kunden/Kunden_pwd_Geburt.htm
Credit: X41 D-SEC GmbH, Niklas Abel
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
The GeDoWin Geburt software backend stores clear text credentials in its MSSQL database if it was upgraded from a legacy system. The clear text credentials are the ones which were used before the upgrade from the legacy system and may have been replaced by the users. If a user tries to login, GeDoWin Geburt queries the remote database and gets the old credentials in XML format. Due to internal caching of valid database credentials this also worked with using wrong credentials to login in our test. The credentials from the XML file are stored in plain text and are not secured in any way. An attacker could obtain all old unprotected credentials of users of the GeDoWin Geburt software this way. This could give an attacker credentials which may still be valid and could be used by the users for other services as well.
GeDoWin Geburt is software for birth documentation in labor and delivery units. Multiple clients share one remote database.
Gedowin Geburt stores the old passwords without protection in the T_GNG_Personal table. This could violate the General Data Protection Regulation and exposes the user’s old credentials to risk. Due to internal caching, GeDoWin Geburt clients are able to login to the Gedowin Geburt database using the client with invalid credentials, if a valid user has been logged in with valid credentials before. Therefore even users with invalid credentials could be able to receive the XML file with clear-text credentials from the old users and login using these credentials from old accounts which have not been changed and also use all services which share the same username and password combination.
The clear-text passwords will be removed when updating to GeDoWin Geburt 2020.2 or later.
The vendor states that the users should have been requested to change their passwords after the upgrade from the legacy system.
All users should be notified to use unique credentials for GeDoWin Geburt and to change their credentials if they still use the passwords which they used for the legacy system.
2019-11-07 Issue found
2019-11-11 Vendor contacted through customer of X41
2019-12-02 No updates from the vendor, advisory drafted
2020-01-20 Customer of X41 grants permission to pass the advisory
2020-01-20 BSI contacted through X41
2020-01-22 BSI approved to take care of contacting the vendor and to notify affected hospitals
2020-03-12 Vendor Requested CVE ID
2020-03-16 Vendor requested a conference call with X41 to clarify internal program flows
2020-03-19 Vendor had a conference call with X41 to clarify internal program flows
2020-03-19 Vendor published GeDoWin Geburt version 2020.2 to mitigate the cleartext password issue
2020-03-20 X41 added new information from the meeting to the advisory
2020-04-02 Vendor notified X41 that the cached authentication issue was patched in version 2020.2 SP1
2020-04-06 Vendor published version 2020.2 SP1
2020-04-08 X41 published Advisory
2020-04-15 X41 adjusted CVSS score based on BSI recommendation
X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and IT security consulting and support services are core competencies of X41.