lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 19 Feb 2020 14:40:37 +0100
From: Open-Xchange GmbH via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] Open-Xchange Security Advisory 2020-02-19

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite Dovecot and PowerDNS at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH



Product: OX App Suite / OX Documents
Vendor: OX Software GmbH

Internal reference: 67871, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
The attachment API for Calendar, Tasks etc. allows to define references to E-Mail attachments that should be added. This reference was not checked against a sufficient protocol and host blacklist.

Risk:
Users can trigger API calls that invoke local files or URLs. Content provided by these resources would be added as attachment.

Steps to reproduce:
1. Create a task
2. Use the /ajax/attachment?action=attach API call and provide a URL
    "datasource": {
        "identifier": "com.openexchange.url.mail.attachment",
        "url": "file:///var/file"
    }

Solution:
We have implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.



---



Internal reference: 67874 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The RSS feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a RSS feed
2. Use http://127.0.0.1.nip.io:80/test.xml as RSS feed
3. Monitor the response code

Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.messaging.rss.feed.blacklist to you network layout.



---



Internal reference: 67931, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-04
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The snippets API allows to add arbitrary data sources. This reference was not checked against a sufficient protocol and host blacklist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology, services and files.

Steps to reproduce:
1. Create a snippet with HTML content
2. Include a reference to an internal host/service
<img src="http://localhost:22/badboy">
3. Monitor the response code

Solution:
We implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.



---



Internal reference: 67980 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The mail accounts feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a mail account
2. Use 127.0.0.1:143 as IMAP server
3. Monitor the network socket

Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.mail.account.blacklist to you network layout.



---



Internal reference: 67983 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2
Vulnerable component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.2-rev4
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Recent versions of OX Documents allow to invoke images from URL sources. Since no sufficient blacklist was in place, this allows to make the server-side request arbitrary image resources.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a OX Documents document
2. Insert an image from URL and specify a local address, like http://127.0.0.1/test.jpg
3. Monitor the response code

Solution:
We implemented a host blacklist to avoid invoking any local addresses and operator-defined network blocks. Please consider adjusting com.openexchange.office.upload.blacklist to you network layout.



---



Internal reference: 68252 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev10, 7.10.1-rev5, 7.10.2-rev6
Vendor notification: 2019-11-15
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Documentconverter can be used to convert "remote" URLs to return images. The source for those URLs was not checked against a blacklist.

Risk:
Local resources like images or websites could be invoked by end-users and expose their content through the generated image.

Steps to reproduce:
1. Create a document and use a image "from URL"
2. Enter a URL that redirects to the local documentconverter instance which again contains a reference to a local resource
http%3A//localhost%3A8008/documentconverterws%3Faction%3Dconvert%26url%3Dhttp%253A//localhost/%26targetformat%3Dpng

Solution:
We now reject redirects and check provided URLs against blacklists and protocol whitelists.



---



Internal reference: 68136 (Bug ID)
Vulnerability type: Missing escaping (CWE-116)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev6, 7.10.1-rev4, 7.10.2-rev3
Vendor notification: 2019-11-11
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-9853 (LibreOffice)
CVSS: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Vulnerability Details:
We have backported recent updates of LibreOffice, which is being used by readerengine. This fixes a potential vulnerabilities which are not directly related to readerengine.

Risk:
Existing vulnerabilities at upstream projects could be used in context of OX App Suite / OX Documents. This is an update based on precaution.

Steps to reproduce:
1. n/a

Solution:
n/a


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists