[<prev] [next>] [day] [month] [year] [list]
Message-ID: <936136616.1490.1619768406134@appsuite-dev-guard.open-xchange.com>
Date: Fri, 30 Apr 2021 09:40:06 +0200 (CEST)
From: Martin Heiland via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Open-Xchange Security Advisory 2021-04-30
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite / OX Guard
Vendor: OX Software GmbH
Affected product: OX App Suite
Internal reference: OXUIB-481
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev23, 7.10.4-rev14
Vendor notification: 2020-09-28
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28945
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
When searching for contacts in mobile mode (App Suite UI on a smartphone), specific fields of a contact object were not properly handled. This could lead to script execution in case the users search would yield contacts with malicious data.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to execute a specific action.
Steps to reproduce:
1. Create a malicious contact which contains script-code as "position" or "company" value
2. Share the contact with the victim, for example within the same context or as vcard file
3. Make the victim search for this contact in mobile mode
Solution:
We improved how search results in mobile mode are being constructed and delivered, considering user-provided information as potentially malicious.
---
Affected product: OX App Suite
Internal reference: OXUIB-491
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev23, 7.10.4-rev14
Vendor notification: 2020-10-01
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28945
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
An undocumented component did not correctly handle user-generated content when displaying the information to a user.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a link provided by the attacker.
Steps to reproduce:
1. Create or upload a malicious "Notes" item
2. Share that item with a user within the same context and make them open it
Proof of concept:
xx ![](http://onerror=Function.constructor`\x61\x6c\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3b`.call``;// ) yy
Solution:
We disabled the ability to launch the undocumented component for the time being and therefore the risk of executing malicious content as code.
---
Affected product: OX App Suite
Internal reference: OXUIB-509
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev23, 7.10.4-rev14
Vendor notification: 2020-10-12
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28945
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
Contact "distribution lists" can be created in a way that they contain script code which is being executed in "scheduling" view.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to import data and/or execute a specific action.
Steps to reproduce:
1. Create a malicious distribution list where a member contains malicious script code as "common name"
2. Share the distribution list with the victim, for example within the same context or as vcard file
3. Make the victim add this distribution list to "scheduling" view in calendar
Proof of concept:
" " <img/src='x'/onerror='alert("XSS")'/cut=@...mple.com>
Solution:
We improved how the "scheduling" overview is being constructed and delivered, considering user-provided information as potentially malicious.
---
Affected product: OX App Suite
Internal reference: MWB-646
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev28, 7.10.4-rev14
Vendor notification: 2020-10-12
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28943
CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Vulnerability Details:
Snippets are used to temporarily store content for internal handling, for example when using mail signatures or E-Mail attachments while moving them to Drive ("managed files"). The identifier of those snippets could be defined via an API call and are being used as reference when retrieving the file from any of the caches. When timing this retrieval correctly and waiting for cache eviction and garbage collection, those snippets could be used to reference arbitrary network resources instead of a snippet content while moving the snipped back from the distributed to the local cache. Path traversal techniques could be used to escape the predefined valid URI for those snippets.
Risk:
Arbitrary network resources could be requested by a malicious user through the middleware, including those resources within a internal trust boundary where OX App Suite middleware operates. In case of web services, this could expose the response of the service to the user. Services that use authentication or do not respond to GET requests are not affected.
Steps to reproduce:
1. Create a snippet (e.g. image attachment) and use a malicious identifier
2. Wait for a couple of minutes until the snippet expires from the local map
3. Request the snippet to force it being requested from the distributed map and use the malicious reference
Solution:
We now use URI encoding when retrieving distributed managed files to avoid the ability to request resources out of scope for the application. Independent from this, we suggest operators to use existing Security Manager configuration to restrict network access of the middleware process to a reasonable scope.
---
Affected product: OX Guard
Internal reference: GUARD-228
Vulnerability type: Denial Of Service (CWE-400)
Vulnerable version: 2.10.4 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.10.3-rev8, 2.10.4-rev5
Vendor notification: 2020-11-02
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28944
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)
Vulnerability Details:
WKS is being used as an option to retrieve a users public key material for encrypted mail communication. In case an attacker would setup malicious WKS infrastrucutre, OX Guard can be tricked to keep connections open for a long period of time or process unusually large chunks of data.
Risk:
OX Guard nodes could be forced to exhaust system resources like network sockets, memory and connection pools. This would lead to temporary unavailability of the service.
Steps to reproduce:
1. Setup a malicious WKS service, that responds very slowly and/or with huge amounts of data
2. Add one or more E-Mail recipient in OX App Suite which domain is handled by this malicious WKS service
Solution:
We added timeouts for both size and total connection duration to avoid being stuck processing responses from malicious sources.
Download attachment "signature.asc" of type "application/pgp-signature" (822 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists