All versions up to and prior to Hyland OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32) suffer from a Unity client malformed image denial of service vulnerability.
413233f3535ffbe6e51b37b73701da05CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)
Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase
Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland's response indicates that they are not likely to have fixed the vulnerabilities.
Credit
-------------------------------------------------
Adaptive Security Consulting
Vulnerability Summary
-------------------------------------------------
Hyland OnBase's Unity Client is vulnerable to denial of service using malformed images.
Technical Details
-------------------------------------------------
The Hyland OnBase Unity Client is vulnerable to denial of service using malformed JPEGs and PNGs. The Unity Client fails to properly handle highly compressed images that contain extremely large dimensions, allowing attackers to store malicious images in OnBase that cause the Unity Client to consume large amounts of CPU and memory and crash when the user tries to view the image.
Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" and no known fix is in place.
Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on behalf of client, but attempts were ignored