| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 Aug 2016 11:14:26 +0200 From: Tim Kretschmann <tim.kretschmann@...las.com> To: bugtraq@...urityfocus.com Subject: Sophos Mobile Control EAS Proxy Open Reverse Proxy vulnerability (CVE-2016-6597) Application: Sophos Mobile Control EAS Proxy Versions Affected: 3.5.0.3 Vendor URL: https://www.sophos.com/ Bugs: Open Reverse Proxy Sent: 30.06.2016 Reported: 05.07.2016 Vendor response: 13.07.2016 Published BugFix by vendor: 28.07.2016 Date of Public Advisory: 05.08.2016 Reference: Sophos Case #6061906 Author: Tim Kretschmann (Pallas GmbH) Version and State of report: 0.9 ? PrePublic Description 1. ADVISORY INFORMATION Title: Sophos Mobile Control EAS Proxy Open Reverse Proxy vulnerability Risk: high Advisory URL: https://www.pallas.com/advisories/sophos_eas_open_reverse_proxy_vulnerability Date published: 05.08.2016 Vendors contacted: Sophos 2. VULNERABILITY INFORMATION Impact: access to any web-resources of the backend mail system, if Lotus Traveler option is enabled Remotely Exploitable: Yes Locally Exploitable: No CVE: CVE-2016-6597 CVSS Base Score v2: 8.6 / 10 CVSS Base Vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N 3. VULNERABILITY DESCRIPTION Sophos EAS Proxy is part of the Enterprise Mobility Management (EMM) platform Sophos Mobile Control, which allows control of mail access for managed mobile devices. Anonymous attackers can access any web-resources of the backend mail system like Microsoft Exchange or IBM Domino, if Lotus Traveler option is enabled. Brute force attacks against users in the backend mail system are also possible. 4. VULNERABLE PACKAGES Sophos Mobile Control EAS Proxy Version 3.5.0.3 Other versions are probably affected too, but they were not checked. 5. SOLUTIONS AND WORKAROUNDS Solution: Update to ?Sophos Mobile Control EAS Proxy 6.2.0.exe? Workaround: Disable Lotus Traveler Option if possible, limit access on web-resources of backend mail system 6. AUTHOR Tim Kretschmann (Pallas GmbH) 7. TECHNICAL DESCRIPTION Proof of Concept for IBM Domino https://<PublicIP_of_EASProxy>:<Port_of_EASProxy>/da.nsf https://<PublicIP_of_EASProxy>:<Port_of_EASProxy>/dba4.nsf https://<PublicIP_of_EASProxy>:<Port_of_EASProxy>/homepage.nsf 8. ABOUT Pallas GmbH Pallas GmbH, located in Germany, provides managed and hosting services with focus on Security. Adress: Pallas GmbH, Hermuelheimer Str. 8a, 50321 Bruehl, GERMANY Phone: 0049.2232.18960 -------------------------------------------------------------------- //// pallas Pallas GmbH / Hermülheimer Str. 8a / 50321 Brühl Geschäftsführer: Stephan Sachweh HR B 52019 Amtsgericht Köln -------------------------------------------------------------------- Managed Service - Einfach sicher
Powered by blists - more mailing lists