The bug, CVE-2018-17150, was patched by InterSystems following researchers' disclosure.
PHOENIX, July 24, 2019 /PRNewswire/ -- Bishop Fox, the largest private cybersecurity professional services firm focused on offensive security testing, has uncovered a vulnerability in a popular database product from InterSystems. Bishop Fox researchers found multiple security issues including a high-risk security issue in the InterSystems Caché application and therefore also affecting InterSystems Ensemble and Iris applications. Caché is a high-performance object database used to develop software applications for government, business, scientific research, and healthcare industries around the world, including six of the 10 largest investment banks in the U.S.
The high-risk vulnerability centers on cross-site scripting, a vulnerability that can force users to perform arbitrary attacker-controlled actions through client-side code injection. An attacker could exploit this vulnerability by creating a malicious link and enticing an InterSystems Caché user to click on it or by simply visiting the affected application endpoint. In either case, the vulnerability would allow an attacker to surreptitiously exfiltrate the contents of the application database, steal legitimate user's login credentials, and create new attacker-controlled administrative users.
"Secure database management systems are central to healthcare, government operations, and commercial interests," said Chris Davis, a security analyst at Bishop Fox, who is one of two researchers responsible for the finding. "Cross-site scripting can be a dangerous attack; it can force users to perform malicious actions on behalf of the attacker without their knowledge. Unfortunately, in this case, simply getting an authenticated user to click a link can lead to a full compromise of the applications databases and access to a great deal of data on the underlying application server."
Antonio Sousa, a managing security associate at Bishop Fox, was also responsible for identifying the vulnerability.
The researchers disclosed their findings to InterSystems and the parties worked together to remediate the issue. Additional technical information on how Bishop Fox found and exploited this vulnerability can be found at https://know.bishopfox.com/advisories/intersystems-cache-2017-2-2-865-0-vulnerabilities.
This successful detection and repair follows a similar success with OpenMRS, an Open Source database management system used in low-resource healthcare environments. Working in close cooperation with volunteer developers on the OpenMRS team, Bishop Fox was able to identify and help repair a critical vulnerability in the webservices.rest module. The patch was released on February 4, 2019. Nicolas Serra, a security associate with Bishop Fox, is credited with identifying the vulnerability.
About Bishop Fox
Bishop Fox is the largest private cybersecurity professional services firm focused on offensive security testing. Since 2005, the firm has provided security consulting services to the world's leading organizations – working with over 25% of the top Fortune 100 companies – to help secure their products, applications, networks, and cloud with penetration testing and security assessments. The company is headquartered in Phoenix, AZ and has offices in Atlanta, GA; San Francisco, CA; New York, NY; and Barcelona, Spain.
View original content to download multimedia:http://www.prnewswire.com/news-releases/bishop-fox-researchers-discover-high-risk-vulnerability-in-intersystems-application-300890036.html