CVE-2021-33583 – REINER timeCard 6.05.07 installs Microsoft SQL ... (How to Fix)

Q: What is the severity of CVE-2021-33583?

CVE-2021-33583 has a CVSS score of 9.8 (CRITICAL). REINER timeCard 6.05.07 installs Microsoft SQL Server with a hardcoded sa password in TCServer.jar, allowing attackers to gain full database control. This affects all installations of the specified version. Attackers can read, modify, or delete all timecard data and potentially execute arbitrary commands.

📋 TL;DR

REINER timeCard 6.05.07 installs Microsoft SQL Server with a hardcoded sa password in TCServer.jar, allowing attackers to gain full database control. This affects all installations of the specified version. Attackers can read, modify, or delete all timecard data and potentially execute arbitrary commands.

💻 Affected Systems

Products:

REINER timeCard

Versions: 6.05.07

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 6.05.07 are vulnerable by default. The vulnerability exists in the TCServer.jar file which contains the hardcoded SQL Server sa password.

📦 What is this software?

Timecard by Reiner Sct

View all CVEs affecting Timecard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the SQL Server instance leading to data theft, data destruction, ransomware deployment, and lateral movement to other systems.

🟠

Likely Case

Unauthorized access to sensitive employee timecard data, payroll manipulation, and potential privilege escalation on the host system.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and internal users lack knowledge of the hardcoded credentials.

🌐 Internet-Facing: HIGH - If the SQL Server is exposed to the internet, attackers can directly connect using the known credentials.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can easily exploit this using the hardcoded credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of the hardcoded password and network access to the SQL Server instance. The advisory includes technical details that can be used to create exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Contact REINER for updated version information and migration guidance.

🔧 Temporary Workarounds

Change SQL Server sa Password

windows

Manually change the sa password for the Microsoft SQL Server instance installed by timeCard

USE master;
ALTER LOGIN sa WITH PASSWORD = 'NewStrongPassword123!';

Network Segmentation

windows

Restrict network access to the SQL Server instance using firewall rules

New-NetFirewallRule -DisplayName "Block SQL External" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Block

🧯 If You Can't Patch

Implement strict network segmentation to isolate the SQL Server from untrusted networks
Monitor for authentication attempts using the hardcoded sa credentials and alert on any usage

🔍 How to Verify

Check if Vulnerable:

Check if REINER timeCard version 6.05.07 is installed and examine TCServer.jar for hardcoded SQL credentials using decompilation tools or string extraction.

Check Version:

Check the timeCard installation directory for version information or consult the application's about dialog.

Verify Fix Applied:

Attempt to connect to the SQL Server instance using the previously known hardcoded credentials - connection should fail after password change.

📡 Detection & Monitoring

Log Indicators:

SQL Server authentication logs showing sa login attempts
Failed login attempts after password change
Successful sa logins from unexpected sources

Network Indicators:

TCP connections to port 1433 from unauthorized sources
SQL protocol traffic to the timeCard server

SIEM Query:

source="sql_server" AND (user="sa" OR event_id=18454 OR event_id=18456)

📊 Metadata

CVE ID: CVE-2021-33583

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: September 30, 2021

Last Updated: November 21, 2024

🔗 References

https://www.compass-security.com/fileadmin/Research/Advisories/2021-12_CSNC-2021-012_timeCard_Hardcoded_Credentials.txt Third Party Advisory
https://www.compass-security.com/fileadmin/Research/Advisories/2021-12_CSNC-2021-012_timeCard_Hardcoded_Credentials.txt Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33583, you might also want to check these: