-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-067 Product: ZA|ARC Manufacturer: Softwarebüro Zauner GmbH & Co. KG Affected Version(s): 4.2.0.29 Tested Version(s): 4.2.0.29 Vulnerability Type: Use of Unmaintained Third Party Components (CWE-1104) Risk Level: High Solution Status: Open Manufacturer Notification: 2021-11-09 Solution Date: No solution yet available Public Disclosure: 2022-04-01 CVE Reference: CVE-2017-11509 Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ZA|ARC is a software that allows archiving digital tachographs. The manufacturer describes the product as follows (see [1]): "Mit ARC können Sie einfach und sicher Ihre digitalen Tachographendaten gemäß dem Fahrpersonalgesetz und der Fahrpersonalverordnung (neu) archivieren. ARC unterstützt sowohl zentrale als auch dezentrale Fuhrparks und kann problemlos Daten aus mehreren Niederlassungen und angeschlossenen Werkstätten konsolidieren. Dadurch eignet sich die Software für alle Fuhrparkgrößen und Organisationsformen." Since the ZA|ARC installer bundles an outdated Firebird version, ZA|ARC database servers are vulnerable to known issues, such as CVE-2017-11509. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The ZA|ARC installer bundles an installer for the Firebird database server. Version 4.2.0.29 of ZA|ARC comes with Firebird version 2.5.8. Version branch 2.5 of Firebird is discontinued and no longer maintained, as noted in the Firebird roadmap[4]. It is affected by known security issues, such as CVE-2017-11509, which allows an authenticated attacker to run arbitrary code on the database server system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Check the version of the Firebird database installer that is bundled with the ZA|ARC installer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The issue will not be fixed in ZA|ARC. Upgrade to zaarc.next, when available. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-10-19: Vulnerability discovered 2021-11-09: Vulnerability reported to manufacturer 2021-11-10: Vulnerability report acknowledged by manufacturer 2021-11-16: Discussion of technical information with manufacturer 2022-02-15: Manufacturer confirms that the vulnerability will not be fixed for ZA|ARC 2022-04-01: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ZA|ARC https://www.zamik.de/system/fuhrparkmanagement [2] SySS Security Advisory SYSS-2021-067 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-067.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Firebird Roadmap https://firebirdsql.org/en/roadmap/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. E-Mail: sebastian.hamann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc Key ID: 0x9CE0E440429D8B96 Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmJEBw0ACgkQnODkQEKd i5baxw/9FYREhhXavv4jfmqpFZMwtVbmnIyqcWRYdueX/oh/7EMOnzz8yS2alG0K o+rz+I1mjSVeTgqn7tID5c90V1C9/5+45t1fZnDAQIcYyMbbOXSTVRabWYj7SlHK fLC8TPjv9aGQj/AHQCT7QR9rnj7vBWYOerxmzK8k8/SY1L2DIElsUeUQWETlcqgd wRYRzP5rooUOK/mSJfXxKqYFetLJCXwPEN5mwt3+0osQvwAJAZrjeeU08zzt+5Cp BBZJihhiQ/9lewOr8uy0sOtX083cuNSR6a9uJXzMpL6GBpo4SGpZE6o3V9W+T/zk 9RYf+CG8RuqJb5iRyKULXE2BKwjqWodIeFlBc+ZFMO8cjlpTqPvRsBg8PROlRlOi uyf1IFE/sbUTPXH6A5gj70J3MMpLkP1+8hDsI41ZqH/QbJi9CXwFuHPG8R3T4cmn a2ql9STuWRTBjsjY6Xbz3bwMr+mmXnFDcDwj3TxQ7QrGVfWwyz5HiPQGB1hQjTsA LMaZWwS4cNPkLWYm19ryI2BMX5G+T95y+rVLZEY3Zk4eL2dsBHI8d2ELw9JCblqk EUEsqlfURVhdlVTwiH6h1frzgaESb579EFChj2VhZQocdIp/AiklYNvS5B+Wpo8M Rii6XmouGSobg/2aYqGiyyyVuhGUt1ncK78sVUi3h4bIo6rdjPA= =QyLv -----END PGP SIGNATURE-----