Fortra FileCatalyst Workflow Static HSQLDB Password

Fortra Catalyst Workflow contains a static HSQLDB password that can be used by a remote attacker to access the service with administrative access.

A vendor KB article at <https://support.fortra.com/filecatalyst/kb-articles/how-to-access-the-internal-filecatalyst-workflow-database-NjkzODJhMDctMjQwZC1lZDExLTgyZTUtMDAwZDNhNWE3ZDJj> walks through steps to access the internal FileCatalyst Workflow HSQLDB using a static password "GOSENSGO613" (without quotes).
 

The internal Workflow HSQLDB is remotely accessible on TCP port 4406 by default. An unauthenticated remote attacker can follow the same steps but using a remote JDBC URL (i.e., jdbc:hsqldb:hsql://<target-host>:4406/hsqldb) to access the internal HSQLDB. Once logged in to the HSQLDB, the attacker can perform malicious operations in the database. For example, the attacker can add an admin-level user in the DOCTERA_USERS table, allowing access to the Workflow web application as an admin user.

Note that on newer Workflow versions, the HSQLDB jar file may be named differently. For example, on Workflow 5.1.6 Build 139, hsqldb-2.7.1-jdk8.jar (instead of hsqldb.jar) is present.

The attacker can also use other tools to access the internal HSQLDB.

While we would generally consider this behavior to be documented and intended functionality, there are a couple of factors leading us to consider this a vulnerability as per current CVE guidelines (https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_4-1_Vulnerability_Determination):

• The level of access provided by these default credentials poses significant risk
• End users are unable to change this password by conventional means
• The services binds to 0.0.0.0:4406 by default
• Per https://filecatalyst.software/workflow.html, it would appear that HSQLDB support has been deprecated, but may still be in production use for older versions