Aptos Wisal Payroll Accounting Uses Hardcoded Database Credentials

Aptos WISAL payroll accounting uses hardcoded credentials in the Windows client to fetch the complete list of usernames and passwords from the database server, using an unencrypted connection. This allows attackers in a machine-in-the-middle position read and write access to personally identifiable information (PII) and especially payroll data and the ability to impersonate legitimate users with respect to the audit log.

Details

• Product: Aptos Wisal
• Affected Versions: <= 7.14
• Fixed Versions: 7.16
• Vulnerability Type: Hardcoded Database Credentials (per Customer)
• Security Risk: High
• Vendor URL: https://www.aptos.lu/fr/logiciel-wisal/description-du-logiciel
• Vendor Status: fixed version released
• Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-007
• Advisory Status: published
• CVE: CVE-2024-36049
• CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36049

Introduction

“Thousands of salaries are calculated each month by WISAL, quickly, with very little manipulation and many possibilities for automation.” (translated from vendor homepage: https://www.aptos.lu/fr/logiciel-wisal/description-du-logiciel)

More Details

The WISAL payroll accounting software stores accounting data and user accounts in a Sybase ASE database. Users need to login to the WISAL client application to be able to access this data. On startup of the Windows client application, that application connects to the database even before a user logs in. According to Aptos, the credentials used are different per installation. In that step, the following SQL query is sent to the Sybase ASE database using an unencrypted network connection, which can be easily read by attackers in a machine-in-the-middle position:

SELECT wi_users.id, wi_users.appl, wi_users.name, wi_users.passcode,
wi_users.comments, wi_users.invalid_logins, wi_users.last_logon_date,
wi_users.passcode_update_date, wi_users.super_user,
[...]
FROM wi_..users

If the Wisal client and database are not running on the same system, machine-in-the-middle attacks have to be considered depending on the network infrastructure. The database server returns the list of users with encrypted passwords. Then the WISAL client sends the following SQL query for each user account to the database server:

GRANT CONNECT TO <username> IDENTIFIED BY <cleartextpassword>

As these queries contain the cleartext password of each user account, the client application is obviously able to decrypt the passwords that were retrieved from the database. An attacker in a machine-in-the-middle position is able to gain access to all usernames and accounts used by the system. This does not only allow access to payroll information, but also allows attackers to impersonate other legitimate users of the accounting platform, rendering any audit trail not trustworthy. The fact that the WISAL client software uses hardcoded database credentials which are able to access the users table of the database which contains the users’ passwords is considered a vulnerability, which is to be referred to as CVE-2024-36049. Even if an encrypted network connection is used, attackers with access to WISAL client application and its configuration can still abuse this to extract all user’s passwords and possibly impersonate other users.

Proof of Concept

Use a network sniffer like tcpdump or Wireshark on the connection between the WISAL Windows client and the Sybase database server on TCP Port 2638.

Workaround

The network containing the WISAL client and the Sybase database should be separated from the remaining network to hinder machine-in-the-middle attacks, and access should be provided only using secure network tunnels such as VPNs or using Remote Desktop solutions. Note that even with this workaround, multiple legitimate user accounts on the system cannot reliably be told apart in the audit log.

Fix

An encrypted database connection should be used. Version 7.16 should be installed which, according to the vendor, resolves the hard-coded credentials issue in the client.

Security Risk

If the system is used in a way where machine-in-the-middle attacks are possible, the use of an unencrypted database connection is considered to pose a high risk. If multiple users have access to the system, possibly with different privileges, the ability of a malevolent legitimate user (or an attacker) to spoof the audit log is considered a high risk, too.

Timeline

• 2023-10-20 Vulnerability identified
• 2023-11-13 Customer approved disclosure to vendor
• 2023-11-20 Established contact with vendor
• 2023-11-20 Provided vulnerability details to vendor
• 2023-12-20 Discussed possible solutions with vendor
• 2024-02-19 Vendor announces to have a solution within three months
• 2024-05-07 Vendor announces that 7.16 (released on 2024-04-16) provides encrypted connections and resolves the hard-coded credentials issue in the client
• 2024-05-13 Customer agreed to publish this advisory
• 2024-05-23 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/