Software Engineering Institute

info:HR is "...a robust, general-purpose Human Resources Information System (HRIS)" that runs on the Microsoft Windows platform and uses Microsoft SQL Server. info:HR stores database credentials in a registry key that allows read access to any local user. The database password is weakly obfuscated with a static key and can be easily deciphered.

Aspects of this vulnerability include CWE-314: Cleartext Storage in the Registry, CWE-327: Use of a Broken or Risky Cryptographic Algorithm.

A local attacker can read and decipher the SQL database password, granting the attacker complete control over the database. The attacker can also read and decipher info:HR application passwords to gain administrative privileges in the application. info:HR systems are likely to contain sensitive personally identifiable information (PII).

Apply an Update
HR Systems Strategies has stated that they will be releasing a patch later this year to address this vulnerability. Customers with a current support contract will be notified upon release and will be provided instructions directly from HR Systems on where download the patch.

Please also consider the following workaround until the patch is released.

Restrict access to the USERPW registry key

Change the ACL on the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HR Systems\ODBC Setup\USERPW registry key to prevent unauthorized read access. Only allowing legitimate info:HR users to read the USERPW registry key will limit exposure. Legitimate users, however, will still be able to decipher the password and gain elevated privileges for the database.