ELBA5 5.8.0 Remote Code Execution Vulnerability

ELBA5 version 5.8.0 is vulnerable to a remote code execution (RCE) vulnerability, identified as CVE-2018-25272. This flaw allows unauthenticated attackers to gain unauthorized access to the underlying database and execute arbitrary commands with SYSTEM level privileges on the host. The vulnerability stems from the application’s use of default credentials for database connection, weak password storage, and the availability of powerful stored procedures like xp_cmdshell. Successful exploitation could lead to complete system compromise, sensitive data exposure, and the potential for lateral movement within the network. This vulnerability was published in 2018 but can still be relevant to organizations running older, unpatched versions of ELBA5.

Attack Chain

1. Attacker identifies a vulnerable ELBA5 5.8.0 instance.
2. Attacker connects to the database using default connector credentials.
3. Attacker decrypts the DBA password stored within the database configuration.
4. Attacker enables the xp_cmdshell stored procedure, if disabled.
5. Attacker executes arbitrary commands on the host system via xp_cmdshell with SYSTEM privileges. For example, they might use xp_cmdshell 'whoami' to verify their access level.
6. Alternatively, the attacker adds a backdoor user to the BEDIENER table to maintain persistent access.
7. Attacker uses the newly created backdoor account to log into the application with elevated privileges.
8. Attacker exfiltrates sensitive data or performs other malicious actions.

Impact

Successful exploitation of CVE-2018-25272 grants the attacker SYSTEM level access to the server hosting ELBA5. This allows for the complete compromise of the system, including data exfiltration, installation of malware, and potential lateral movement within the network. The attacker can access and potentially modify sensitive data stored within the ELBA5 database, impacting the confidentiality and integrity of the application’s data. The vulnerability allows for the addition of backdoor accounts, ensuring persistence even after the initial vulnerability is patched.

Recommendation

• Apply any available patches or upgrades to ELBA5 to address CVE-2018-25272.
• Disable or restrict access to the xp_cmdshell stored procedure in the database to prevent command execution as described in the attack chain.
• Monitor process creation events for suspicious usage of xp_cmdshell using the provided Sigma rule.
• Implement strong password policies and avoid the use of default credentials, mitigating the initial access vector described in the attack chain.
• Audit the BEDIENER table for unauthorized user accounts using the provided Sigma rule.
• Enable database auditing to detect and respond to suspicious database activity, including attempts to decrypt passwords or modify user accounts.