[FD] Open-Xchange Security Advisory 2020-06-12
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite / OX Documents Vendor: OX Software GmbH Internal reference: 68441, 68453, 68454 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend, office documentconverter Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev68, 7.10.1-rev28, 7.10.2-rev22, 7.10.3-rev7 Vendor notification: 2019-11-29 Solution date: 2020-03-06 Public disclosure: 2020-06-12 CVE reference: CVE-2019-18846, CVE-2020-8544 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: Our blacklisting restrictions for various APIs have flaws that allow attackers to bypass certain checks by using "smart" endpoints. In detail, the check if a URL is blacklisted was triggered independently from accessing the actual resource. Malicious endpoints with knowledge about application state could abuse this to bypass blacklisted resources. The same vulnerability affects multiple components. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce: 1. Create a RSS feed 2. Specify a resource where the endpoint responds differently based on the request count 3. Return a valid result on the blacklist request but HTTP redirect when actually accessing the resource Solution: We improved the blacklisting check to make sure the actual resource is being checked when retrieving. --- Internal reference: 68478 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.3 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev62, 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6 Vendor notification: 2019-12-02 Solution date: 2020-03-06 Public disclosure: 2020-06-12 CVE reference: CVE-2020-8542 CVSS: 2.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Vulnerability Details: Self-XSS was possible when pasting malicious HTML content to the mail signature editor. This could be used as part of a social engineering scheme. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce: 1. Ask a user to edit a mail signature and use the "Code" feature 2. Make the user paste malicious HTML Code, for example SVG with embedded JS 3. Example: "> sodales molestie velit Solution: We improved frontend sanitization of user-provided content. --- Internal reference: OXUIB-39 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.3 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6 Vendor notification: 2020-01-27 Solution date: 2020-03-06 Public disclosure: 2020-06-12 Researcher Credits: zee_shan CVE reference: CVE-2020-8542 CVSS: 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Vulnerability Details: Script code within a HTML E-Mail was executed under certain circumstances, like agreeing to load external images. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce: 1. Create a malicious mail with external images 2. Make the user load external content within the mail 3. Example:
[FD] Open-Xchange Security Advisory 2020-06-12
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX Guard Vendor: OX Software GmbH Internal reference: GUARD-179 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 2.10.3 Vulnerable component: guard Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.10.2-rev9, 2.10.3-rev4 Vendor notification: 2020-02-04 Solution date: 2020-03-06 Public disclosure: 2020-06-12 CVE reference: CVE-2020-9426 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Comments within forged malicious public-keys could contain HTML and Javascript that was not properly sanitized before displaying at Guard settings. Through autocrypt and other mechanisms such keys could get imported without noticing their malicious content. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce: 1. Create a PGP keypair 2. Use HTML and JS as part of the public keys comment section 3. Distribute this key through mail attachments, autocrypt or HKP Solution: We improved our sanitizing and ensure that external content such as comments are handled safely. --- Internal reference: GUARD-182 Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 2.10.3 Vulnerable component: guard Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.10.2-rev9, 2.10.3-rev4 Vendor notification: 2020-02-11 Solution date: 2020-03-06 Public disclosure: 2020-06-12 CVE reference: CVE-2020-9427 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: HKP/HKPS key discovery mechanisms are based on DNS service records. Those are probed to look up unknown public-keys but were insufficiently checked for sensitive resource locations. Risk: In case of a malicious DNS server or domain, an attacker could use this technique to redirect HTTP requests to internal networks. Taking timing and response codes into consideration this can be used to determine if a specific port at a internal system is open or not, leading to basic network discovery capabilities for the attacker. Steps to reproduce: 1. Setup a malicious domain with HKP/HKPS service records, point them to a malicious HKP responder 2. At the malicious HKP responder, issue HTTP redirects targetting internal hosts like 127.0.0.1 Solution: We now run HKP responses through existing blacklist mechanisms to avoid accessing internal network resources. --- Internal reference: GUARD-183 Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 2.10.3 Vulnerable component: guard Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.10.2-rev9, 2.10.3-rev4 Vendor notification: 2020-02-11 Solution date: 2020-03-06 Public disclosure: 2020-06-12 CVE reference: CVE-2020-9427 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: WKS/Webkey services discovery mechanisms are based on DNS service records. Those are probed to look up unknown public-keys but were insufficiently checked for sensitive resource locations. Risk: In case of a malicious DNS server or domain, an attacker could use this technique to redirect HTTP requests to internal networks. Taking timing and response codes into consideration this can be used to determine if a specific port at a internal system is open or not, leading to basic network discovery capabilities for the attacker. Mind that this attack gets mitigated when using DNSSEC, but depending on configuration this might get bypassed or not used. Steps to reproduce: 1. Setup a malicious domain with WKS/Webkey service records, point them to a malicious WKS responder 2. At the malicious WKS responder, issue HTTP redirects targetting internal hosts like 127.0.0.1 Solution: We now run WKS responses through existing blacklist mechanisms to avoid accessing internal network resources. signature.asc Description: Message signed with OpenPGP ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
