lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <A0FD6085-E706-4C7A-BE26-3810AA93B34F@open-xchange.com>
Date: Thu, 20 Aug 2020 08:09:49 +0200
From: Open-Xchange GmbH via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] Open-Xchange Security Advisory 2020-08-20

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
  Martin Heiland, Open-Xchange GmbH



Product: OX App Suite / OX Documents
Vendor: OX Software GmbH



Internal reference: MWB-70 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-07
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: raiz_
CVE reference: CVE-2020-12646
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Our script filters did not consider the ancient media-type "text/x-javascript" as potentially malicious, however Google Chrome executes content of this type as script code.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering.

Steps to reproduce:
1. Upload a code snippet to Drive and modify its media-type
2. Share the file publicly and make a user open this link
3. Next, make the user visit a direct API reference to the file and add "delivery=view" as API parameter

Solution:
We improved our filter to consider this media-type.



---



Internal reference: MWB-107 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.1 to 7.10.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: Osama Hamad Shehab
CVE reference: CVE-2020-12645
CVSS: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
When using OX App Suite for authentication directly, a login "rate-limit" is applied. This could be circumvented by exploiting logic issues when handling the clients user-agent string.

Risk:
Brute-force attempts could be made using large quantities of arbitrary passwords to discover account credentials. While this attack would be quite noisy it's possible that it may not get noticed on unmonitored systems. The attacker would still hit the generic API request limit at some point.

Steps to reproduce:
1. Use the /login API and send login attempts until the rate-limit hits
2. Modify the user-agent string
3. Return login attempts

Solution:
We fixed the logic dealing with buckets of login processes to discover such attempts and correctly apply rate limiting.



---



Internal reference: MWB-108 (Bug ID)
Vulnerability type: Access Control Bypass (CWE-639)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: kattsson
CVE reference: CVE-2020-12643
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Incorrect permission checks were performed when requesting other users "snippets". This can be used to discover E-Mail addresses of external accounts.

Risk:
Potentially sensitive information about other users can be discovered and used for further attacks. Access is limited to users within the same context.

Steps to reproduce:
1. Use the /api/subscriptions API and request arbitrary subscription IDs for other user IDs
2. If a combination of user ID and subscription ID matches, metadata about a subscription would be returned

Solution:
We improved permissions checks in this area to limit exposure of information.



---



Internal reference: MWB-120 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-27
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: kattsson
CVE reference: CVE-2020-12645
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Vulnerability Details:
Vacation notices could be used to send E-Mail with arbitrary sender information.

Risk:
Malicious users could set up vacation notices that send E-Mail responses with a forged sender address. Depending on the egress MTA configuration this can be used for impersonification.

Steps to reproduce:
1. Create vacation notice and modify the "From" attribute by changing the API request
2. Make someone send E-Mail to this account or forge a "reply-to" header
3. E-Mail will be sent using illegitimate sender information

Solution:
We applied the same checks for vacation notices as we're using for regular user mail operations.



---



Internal reference: MWB-190 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-03-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: Alexey Petrenko
CVE reference: CVE-2020-12646
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Our script filters did not consider the media-type "text/rdf" as potentially malicious, however Mozilla Firefox executes content of this type as script code.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering.

Steps to reproduce:
1. Upload a code snippet to Drive and modify its media-type
2. Share the file publicly and make a user open this link
3. Next, make the user visit a direct API reference to the file and add "delivery=view" as API parameter

Solution:
We improved our filter to consider this media-type.



---



Internal reference: MWB-221 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2019-04-06
Solution date: 2020-05-13
Public disclosure: 2020-08-20
CVE reference: CVE-2020-12645
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Vulnerability Details:
The /apps/load endpoint is used to pre-load various resources for optimized transfer. It's parameters can be abused to process content multiple times.

Risk:
Depending on the environments memory configuration and the amount of requested content, memory exhaustion can be triggered, leading to temporary unavailability of one or more nodes.

Steps to reproduce:
1. Use the /apps/load API endpoint and supply up to 254 content references
2. Repeat and/or run this request in parallel

Solution:
We removed duplicate content from the request and make sure none is processed twice. Since only limited options for content exist we expect this to mitigate the attack vector.



---



Internal reference: MWB-226 (Bug ID)
Vulnerability type: Server-side request forgery (CWE-918)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2019-04-07
Solution date: 2020-05-13
Public disclosure: 2020-08-20
CVE reference: CVE-2020-12644
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The mail account API can be used to inject references to internal network topology when updating existing accounts and subsequent requests would trigger network connections.

Risk:
Based on the response and timing of those connections and attacker can gain insight to internal network topology and configuration. This bypasses the existing blacklist.

Steps to reproduce:
1. Add a new external mail account using a legitimate IMAP server
2. Modify this accounts configuration and add a reference to an internal host
3. Use the /folder/list API to trigger a account refresh

Solution:
We now reject adding blacklisted network endpoints also when updating the account configuration.



---



Internal reference: DOCS-1844 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: office-web, frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev63, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev10
Vendor notification: 2019-03-06
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: chbi
CVE reference: CVE-2020-8542
CVSS: 2.2 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
When pasting text from a native source to a OX Documents file, script code embedded within the paste content would be executed. This is related to a recent library update.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering.

Steps to reproduce:
1. Create a legitimate looking text documents and hide JS code within it
2. Make a user copy text from a native source (e.g. text file) and paste it to OX Documents

Solution:
We updated DOMpurify to a version which solves this vulnerability.



---



Internal reference: DOCS-1886, OXUIB-158 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: office-web, frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev63, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev10
Vendor notification: 2019-03-18
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: chbi
CVE reference: CVE-2020-12646
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Script code embedded to PDF files could be executed when using documents preview.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering. To trigger the vulnerable code a specific content-security-policy (worker-src blob:) is required.

Steps to reproduce:
1. Create a malicious PDF file containing script code
2. Send and make a user open this file using preview

Solution:
We updated PDF.js to a version which solves this vulnerability.


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ