Fortra has disclosed a significant security vulnerability in FileCatalyst Workflow that could allow remote attackers to obtain administrative access. This flaw, designated as CVE-2024-6633, holds a critical CVSS score of 9.8, primarily due to the software’s reliance on a static password for its HSQL database connection.
In their advisory, Fortra noted that the default credentials for the HSQL database, which is not intended for production environments, are readily accessible in a vendor knowledge base article. “The misuse of these credentials could compromise the confidentiality, integrity, or availability of the software,” the company stated.
The flaw’s exploitation could enable attackers to manipulate administrative settings by, for instance, creating new admin-level users within the DOCTERA_USERS table. As a result, they could gain access to the Workflow web application with administrative privileges. The HSQLDB, which is included solely to aid initial installation, has been deprecated and is not meant to be deployed in live settings. Users who have not transitioned to a secure alternative database are vulnerable to attack from any host capable of communicating with the HSQLDB, which operates by default on TCP port 4406.
Tenable, a cybersecurity research organization that identified and reported this vulnerability, has emphasized the risks posed by this flaw. Their findings indicate that attackers could connect to the database remotely due to this configuration, allowing for potentially harmful actions under the guise of legitimate access.
In addition to the HSQL database vulnerability, the recent release of FileCatalyst Workflow version 5.1.7 addresses another high-severity issue: an SQL injection vulnerability with a CVSS score of 7.2. This vulnerability arises from inadequate input validation during the setup process, enabling attackers to manipulate SQL queries. According to Dynatrace researcher Robin Wyss, user input submitted during company information collection is utilized directly in database statements, making it susceptible to unauthorized modification.
The release of the patch on July 2, 2024, reflects a responsible disclosure approach by Fortra to safeguard their users. Business owners should be particularly aware of this vulnerability, especially if they are utilizing FileCatalyst Workflow without proper licensing or configuration.
From a cybersecurity perspective, these vulnerabilities highlight essential MITRE ATT&CK tactics and techniques that may have been at play, including initial access, where an attacker successfully infiltrates a system through known vulnerabilities, and privilege escalation, enabling them to gain elevated access rights post-initial breach. These incidents underscore the necessity of stringent cybersecurity measures, particularly in environments where sensitive data is at risk.
As cyber threats continue to evolve, vigilance is crucial. Organizations leveraging FileCatalyst Workflow must ensure they are operating on the latest version and maintaining best practices in database configuration to mitigate risks associated with such vulnerabilities.
