Bishop Fox, the largest private cybersecurity professional services firm focused on offensive security testing, has uncovered a vulnerability in a popular database product from InterSystems. Bishop Fox researchers found multiple security issues including a high-risk security issue in the InterSystems Caché application and therefore also affecting InterSystems Ensemble and Iris applications. Caché is a high-performance object database used to develop software applications for government, business, scientific research, and healthcare industries around the world, including six of the 10 largest investment banks in the U.S.
The high-risk vulnerability centers on cross-site scripting, a vulnerability that can force users to perform arbitrary attacker-controlled actions through client-side code injection. An attacker could exploit this vulnerability by creating a malicious link and enticing an InterSystems Caché user to click on it or by simply visiting the affected application endpoint. In either case, the vulnerability would allow an attacker to surreptitiously exfiltrate the contents of the application database, steal legitimate user’s login credentials, and create new attacker-controlled administrative users.
“Secure database management systems are central to healthcare, government operations, and commercial interests,” said Chris Davis, a security analyst at Bishop Fox, who is one of two researchers responsible for the finding. “Cross-site scripting can be a dangerous attack; it can force users to perform malicious actions on behalf of the attacker without their knowledge. Unfortunately, in this case, simply getting an authenticated user to click a link can lead to a full compromise of the applications databases and access to a great deal of data on the underlying application server.”
The platform covers e entire enterprise technology space- including emerging technologies like RPA, AI, cloud, automation, and the entire gamut of digital transformation tools, strategies and management decisions.
