CVE-2021-38147 in Holmes Orchestratorinfo

Summary

by MITRE • 11/29/2021

Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to processexecution/DownloadExcelFile/Domain_Credential_Report_Excel, processexecution/DownloadExcelFile/User_Report_Excel, processexecution/DownloadExcelFile/Process_Report_Excel, processexecution/DownloadExcelFile/Infrastructure_Report_Excel, or processexecution/DownloadExcelFile/Resolver_Report_Excel.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/02/2021

The vulnerability identified as CVE-2021-38147 affects Wipro Holmes Orchestrator version 20.4.1, representing a critical security flaw that enables unauthenticated remote attackers to access sensitive operational data through exposed API endpoints. This vulnerability resides within the process execution framework of the orchestrator system, specifically targeting multiple Excel file download endpoints that contain comprehensive reports on domain credentials, user activities, process executions, infrastructure details, and resolver configurations. The absence of authentication requirements for these API access points creates a significant attack surface that adversaries can exploit without requiring valid credentials or privileged access to the system.

The technical implementation of this vulnerability stems from improper access control mechanisms within the Wipro Holmes Orchestrator's API architecture. The affected endpoints processexecution/DownloadExcelFile/Domain_Credential_Report_Excel, processexecution/DownloadExcelFile/User_Report_Excel, processexecution/DownloadExcelFile/Process_Report_Excel, processexecution/DownloadExcelFile/Infrastructure_Report_Excel, and processexecution/DownloadExcelFile/Resolver_Report_Excel all operate without mandatory authentication checks, allowing any remote attacker to directly access and download these sensitive reports. This flaw aligns with CWE-284, which addresses improper access control vulnerabilities, and represents a clear violation of the principle of least privilege in system security design.

The operational impact of this vulnerability extends beyond simple information disclosure, as the downloaded reports contain highly sensitive data that could compromise organizational security posture. Domain credential reports may expose authentication patterns and security configurations, user reports could reveal employee access patterns and system usage, process reports might disclose automation workflows and business processes, infrastructure reports could expose system architecture details, and resolver reports may contain information about network resolution mechanisms. Such comprehensive data leakage could enable attackers to conduct advanced persistent threats, perform lateral movement, or execute targeted attacks against the organization's infrastructure. This vulnerability particularly aligns with ATT&CK technique T1083 (File and Directory Discovery) and T1005 (Data from Local System) as it allows unauthorized access to system-generated reports containing sensitive information.

Organizations utilizing Wipro Holmes Orchestrator version 20.4.1 should implement immediate mitigations to address this vulnerability. The primary remediation involves enforcing mandatory authentication for all API endpoints that provide access to sensitive reports, implementing proper access controls based on user roles and privileges, and establishing network segmentation to limit access to these endpoints. Additionally, organizations should conduct comprehensive security assessments to identify any other unauthenticated API endpoints within the system, implement logging and monitoring for API access attempts, and ensure proper input validation and output encoding for all API responses. The vulnerability demonstrates the critical importance of implementing defense-in-depth strategies and proper access control mechanisms, particularly for systems handling sensitive operational data and business-critical automation processes.

Reservation

08/05/2021

Disclosure

11/29/2021

Moderation

accepted

CPE

ready

EPSS

0.53008

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!