X41 D-SEC GmbH Advisory: X41-2019-008

Vulnerable Components in Cerner medico

Severity Rating: Medium

Confirmed Affected Versions: unknown

Confirmed Patched Versions: Defect 226386, Hotfix H26001200000

Vendor: Cerner Health Services Deutschland GmbH

Vendor URL: https://www.cerner.com

Vendor Reference: https://www.cerner.com/de/de/loesungen/medico

Vector: Adjacent Network

Credit: X41 D-SEC GmbH

Status: Public

CVE: CVE-2020-11674, CVE-2020-11675, CVE-2020-11676, CVE-2020-11677

CVSS Score: 6.3

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Advisory-URL: None

Summary and Impact

During a penetration test, a Cerner medico hospital information management system was discovered with numerous security issues. A process called slim_proxy was observed to be running and listening on the network. Upon investigating this custom component, its source code was discovered on the system. Copyright banners revealed that this code is custom made by Cerner. During a cursory investigation, numerous security issues were discovered which, if reachable by an attacker, would allow the attacker to take complete control of the software. The folder that was copied during the investigation does not contain all components of the software. Given the very limited view, it cannot be estimated whether the vulnerabilties are reachable from the network. However, the number of potentially critical vulnerabilities in a very sensitive information system prompted X41 to issue this advisory.

Product Description

The Cerner medico hospital information management system helps manage and control electronic health records in hospitals.

Analysis

As part of the pentest, X41 copied a folder called BINC containing the source files crypt.cpp, dpscrypt.c, mkdict.c, ntmkcr.c, and slim_proxy.c, as well as compiled binaries or object files. Most of the files have copyright headers attributing Cerner. Since this is not the complete software, no thorough audit was performed, and no documentation available, the relation between the tools is only partially known. Bugs in the argument parsing may only be exploitable by a local user, or may be triggerable through the network if called by another tool on the system. In either case, such bugs are considered to be indicative of the kinds of mistakes the developers made.

slim_proxy.c contains a function showInode() which copies the result of iso2utf() into a buffer of 500 bytes. Since the result of iso2utf() can potentially be 1000 bytes long, this could result in a buffer overflow. The function refreshList() uses the variable output without initialization, potentially leading to data corruption.

dpscrypt.c also contains multiple buffer overflow vulnerabilities. Command line arguments as well as environment variables are copied into a fixed-length buffer using strcpy(). Since no length is given, the value may overflow the buffer. Furthermore, the purpose of this utility appears to be to encrypt passwords with the broken DES encryption algorithm. The file crypt.cpp contains an implementation of the broken DES encryption algorithm to facilitate this.

ntmkcr.c uses the variable opt_string as both source and destination of sprintf() in the function mod_key_opts(), resulting in undefined behaviour and potential data corruption.

mkdict.c has a similar bug where the variable sbuf is used as both source and destination of sprintf() in the function mask_tick(). It also contains a buffer overflow by copying an environment variable into a 30-byte buffer using strcpy() without any boundary checks.
Data is not escaped when writing a certain format output file, for example in the function write_csvfile(), where values are written without escaping the field delimiter (semicolon). If any of the fields would contain a semicolon, it would break out of the field. The code quality overall is considered poor and should not be used to handle data of which the confidentiality or integrity is important. Finally, mitigations such as stack canaries, FORTIFY_SOURCE, RELRO, and PIE are not enabled in the compiled binaries.

Workarounds

Apply the patches to have the state of 2020-04-01.

Timeline

2019-11-12 Issue found

2020-01-20 Customer of X41 grants permission to pass the advisory

2020-01-20 BSI contacted by X41

2020-01-22 BSI approved to take care of contacting the vendor and to notify affected hospitals

2020-02-04 Vendor released Defect 226385, Hotfix H26001102000 to mitigate issues in slim_proxy.c

2020-02-25 Conference with Cerner BSI and X41

2020-02-26 Vendor released Defect 226386, Hotfix H26001200000

2020-04-01 Vendor wrote in a statement regarding CVE registration that all risks have been remediated

2020-04-06 X41 sent preliminary advisory to BSI with request to forward it to the vendor

2020-04-07 Vendor received preliminary advisory from BSI

2020-04-21 Vendor sent version numbers of the mitigations to BSI

2020-04-23 X41 released advisory

About X41 D-SEC GmbH

X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.

Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and IT security consulting and support services are core competencies of X41.

Author: Luc Gommans
Date: April 23, 2020