-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-066 Product: ZA|ARC Manufacturer: Softwarebüro Zauner GmbH & Co. KG Affected Version(s): 4.2.0.4 Tested Version(s): 4.2.0.4 Vulnerability Type: Cleartext Transmission of Sensitive Information (CWE-319) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2021-11-09 Solution Date: No solution yet available Public Disclosure: 2022-04-01 CVE Reference: CVE-2021-45894 Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ZA|ARC is a software that allows archiving digital tachographs. The manufacturer describes the product as follows (see [1]): "Mit ARC können Sie einfach und sicher Ihre digitalen Tachographendaten gemäß dem Fahrpersonalgesetz und der Fahrpersonalverordnung (neu) archivieren. ARC unterstützt sowohl zentrale als auch dezentrale Fuhrparks und kann problemlos Daten aus mehreren Niederlassungen und angeschlossenen Werkstätten konsolidieren. Dadurch eignet sich die Software für alle Fuhrparkgrößen und Organisationsformen." Due to the use of an unencrypted database connection, ZA|ARC is vulnerable to machine-in-the-middle attacks, whereby the attacker gains access to database credentials, application credentials and all data stored or viewed in the application. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: On initialization, ZA|ARC connects to a database server, such as Firebird, MS SQL or Oracle. This database stores the application's data, such as application user accounts, driver information and tachograph data. At least when using a Firebird database, the network communication between the ZA|ARC client application and the Firebird database server is unencrypted. Note that this vulnerability only affects networked installations, where the ZA|ARC client application runs on a different system from the database server. For a single user installation, only localhost is involved in the network traffic, which makes networked attacks pointless. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): For a proof of concept, it is sufficient to run a packet capturing tool such as Wireshark[4] on either the client system or the database server system. An attacker would need to achieve a machine-in-the-middle position using one of the usual techniques for this purpose, such as ARP spoofing, mDNS spoofing, DNS spoofing, IPv6 router advertisement, etc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The issue will not be fixed in ZA|ARC. Upgrade to zaarc.next, when available. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-10-19: Vulnerability discovered 2021-11-09: Vulnerability reported to manufacturer 2021-11-10: Vulnerability report acknowledged by manufacturer 2021-11-16: Discussion of technical information with manufacturer 2022-02-15: Manufacturer confirms that the vulnerability will not be fixed for ZA|ARC 2022-04-01: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ZA|ARC https://www.zamik.de/system/fuhrparkmanagement [2] SySS Security Advisory SYSS-2021-066 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-066.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Wireshark https://www.wireshark.org/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. E-Mail: sebastian.hamann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc Key ID: 0x9CE0E440429D8B96 Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmJEBw0ACgkQnODkQEKd i5aPPw//WGUvv8D/LGOEnPkwN7tKb25HmSRheOdZStQQcxGNG3ce1uCEY0y7wpVO b4obm4HNWnkcld0s86hTcrgAzpnJ4sdVn/0yQcG65UEe/c7Ue3Tx9fr9sS7llqXO LRN+nGP694GOtx/dD8KnGSt1fa+VjGhBsvsNmMFULk5aP7LLsOh9s2Eiy9zloInq MpQReg4tQkkr5x+fU1kQZHW0C6RCIsaXpwnfumLI3XB4oj2QrPhC7LMYHpj2pGI3 oPLh9j4DqnniDhU8Y4qEtRXmFOR89ij+yQ2qSMuEpUbAROU1nx+35dl+jdIPgZJg oBn38DMD1ntg+2f15xSflK72CGs8OjUXz+j/VfCCklKLV46TNeWlOrmKKgIx8R1F u6qcv0i7Fz5/SyBSOlXQspKLn2R/vJQvB4jJEhokPOvAvPy1MG8BwEbyWMaqeVC2 uJr3cO/RgsGnazOMTF+cVqXEN8hRirzM3PoAfzQKMkOOCmojJ4ZhRG2VmtQVcqEB 8PHobBLsHqpNLQfxZf1xpkrDj9Kia9kkpjrZ60Z41AxBNY7SYPDLG5g75lPQeT0o Fwe6n24buaBBnWetUHfgsu7N9sxUhYRCXJQQ1Xfdim5R4+aLgNqCUV45J7C9R5Sq U5Enyj99cxjqAO51y2sEkBR3au0vnKBSFnrZOqgpR6J0Sm6yFQk= =UU1y -----END PGP SIGNATURE-----