-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-064 Product: ZA|ARC Manufacturer: Softwarebüro Zauner GmbH & Co. KG Affected Version(s): 4.2.0.4 Tested Version(s): 4.2.0.4 Vulnerability Type: Storing Passwords in a Recoverable Format (CWE-257) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2021-11-09 Solution Date: No solution yet available Public Disclosure: 2022-04-01 CVE Reference: CVE-2021-45892 Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ZA|ARC is a software that allows archiving digital tachographs. The manufacturer describes the product as follows (see [1]): "Mit ARC können Sie einfach und sicher Ihre digitalen Tachographendaten gemäß dem Fahrpersonalgesetz und der Fahrpersonalverordnung (neu) archivieren. ARC unterstützt sowohl zentrale als auch dezentrale Fuhrparks und kann problemlos Daten aus mehreren Niederlassungen und angeschlossenen Werkstätten konsolidieren. Dadurch eignet sich die Software für alle Fuhrparkgrößen und Organisationsformen." Due to the use of a custom "password encryption" algorithm, ZA|ARC is vulnerable to the disclosure of plaintext passwords of users and database credentials. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The application uses a custom encryption algorithm for storing passwords in the database and in the configuration file zaarc.ini. The passwords of the application users are stored in the table BENUTZER in the columns PASSWORT and TMPASSWORT. The decryption algorithm can be reverse engineered from the ZA|ARC executable. Thus, if an attacker finds a way to retrieve the password information from the database, the plaintext passwords can be recovered easily. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH wrote a simple Python script to decode passwords from the database or the configuration file. It is not included here, since at the point in time of the disclosure of this security advisory, no solution was publicly available. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The issue will not be fixed in ZA|ARC. Upgrade to zaarc.next, when available. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-10-19: Vulnerability discovered 2021-11-09: Vulnerability reported to manufacturer 2021-11-10: Vulnerability report acknowledged by manufacturer 2021-11-16: Discussion of technical information with manufacturer 2022-02-15: Manufacturer confirms that the vulnerability will not be fixed for ZA|ARC 2022-04-01: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ZA|ARC https://www.zamik.de/system/fuhrparkmanagement [2] SySS Security Advisory SYSS-2021-064 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-064.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. E-Mail: sebastian.hamann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc Key ID: 0x9CE0E440429D8B96 Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmJEBw0ACgkQnODkQEKd i5Yrqw/9GLzW7aMIxRViMUn+i9zX73gqHF8aaoFhb0a0A7AYRWfnSCImLjhyfZ4N y/mGcI0y8yRSK3ik8PPzU+KafB2uxzUaluO+tzaOVVDMttP4hSQAnIUFhW08dkwx ggD7mFWvqvOyCZ79HdynpB+1mnCqDd+nw9YPRavXRmK1wiWfFqQQISn1M0leHqFZ GxL0M1t7Qsde42gV9m3MIHNnUUe3ktcSTKiirAFP+fgXwn6F57I15mdz8f5c9hP9 qHVie1smJubl+2u0crUc55MhTdAIPXKvPq9yhtRPxtFiUBJPMxvbNpq1sD+RAGFi lVloZGlSG7jwDoph1szMZgT4IaQkrZRGB8pIou2VyTtbGYb3mIDDokRNNZ3+u5yI D8BA7Cd+OxTqIFpx1QUe0magEpoEPx8hfcXYpAwQgSH2eOGdaenp6ZE/vj8f/s1e I9/kttPaVmmyxE2WJ8KkVNEMYm2Mhesu5Z6Bycp5GRiP7hDkphLrie5LT+j98Hwz k4P+ECJ4lTfaiHzAZAtCgfzsjhza08VyV2Dj+9eKp7b0aqH0pkMv5QfJ5JUzSewT S3AjOvRDg6zLXQFu1V5u1cPeAkJ9c1ZFlO88zsB2E6bYU0EFdSGjtropCCnBW2I1 aMu73I3pwg5sI5BU3n4XPdJiQzlnMUeIIO6jPBRJK419+VetqpU= =PnpN -----END PGP SIGNATURE-----