[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Multiple exposures in Sophos UTM
From: Tim Schughart <t.schughart () prosec-networks ! com>
Date: 2016-09-30 9:33:31
Message-ID: 477014167.209443.1475228011651.JavaMail.zimbra () prosec-networks ! com
[Download RAW message or body]
Hello @all,
together with my colleague we found two uncritical vulnerabilities you'll find below.
Product: Sophos UTM
Vendor: Sophos ltd.
Internal reference: ? (Bug ID)
Vulnerability type: Information Disclosure
Vulnerable version: 9.405-5, 9.404-5 and possible other versions affected (not tested)
Vulnerable component: Frontend
Report confidence: yes
Solution status: Not fixed by Vendor, no further responses from vendor.
Fixed versions: -
Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks
Vendor notification: 2016-09-01
Solution date: -
Public disclosure: 2016-09-30
CVE reference: CVE-2016-7397
CVSSv3: 6.7 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Report timeline:
2016-09-01: Contacted Vendor, vendor acknowledged, no further response
2016-09-12: Contacted Vendor again, started to fix
2016-09-30: Contacted Vendor again, because there has been no response to our request and our \
initial told disclosing date, no response again.
2016-09-30: Public Disclosure.
Vulnerability Details:
The password is reflected to DOM and is readable through the "value" field of the SMTP user \
settings in notifications tab. You have to be authenticated to access the configuration tab.
Risk:
An attacker gets access to the configured mailbox. Because of Sophos UTM is a multi user \
system, this is a problem in bigger company environments with splitted admin rights. The \
surface scope is changed, because in bigger environments you are getting access to the \
configured mailbox, which results in an integrity loss.
Steps to reproduce:
See vulnerability details.
--
Product: Sophos UTM
Vendor: Sophos ltd.
Internal reference: ? (Bug ID)
Vulnerability type: Information Disclosure
Vulnerable version: 9.405-5, 9.404-5 and possible other versions affected (not tested)
Vulnerable component: Frontend
Report confidence: ?
Solution status: Not fixed by Vendor
Fixed versions: -
Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks
Vendor notification: 2016-09-01
Solution date: -
Public disclosure: 2016-10-01
CVE reference: CVE-2016-7442
CVSSv3: 6.7 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Vulnerability Details:
The password is reflected to DOM and is readable through the "value" field of the proxy user \
settings in the system settings / scan settings / anti spam. You have to be authenticated to \
access the configuration tab.
Risk:
An attacker gets access to the configured proxy user. Because of Sophos UTM is a multi user \
system, this is a problem in bigger company environments with splitted admin rights. The \
surface scope is changed, because in bigger environments you are getting access to the \
configured proxy user, which results in an privilege escalation.
Steps to reproduce:
See vulnerability details.
Best regards / Mit freundlichen Grüßen
Tim Schughart
CEO / Geschäftsführer
--
ProSec Networks e.K.
Ellingshohl 82
56077 Koblenz
Website: https://www.prosec-networks.com
E-Mail: t.schughart@prosec.networks.com
Mobile: +49 (0)157 7901 5826
Phone: +49 (0)261 450 930 90
"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED \
information and is intended only for the named recipient(s). Any unauthorized use, \
dissemination, copying or forwarding is strictly prohibited. If you are not the intended \
recipient and have received this email communication in error, please notify the sender \
immediately, delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal \
domicile Koblenz, HRA 21625."
"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder \
RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich für den/die genannten \
Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, Vervielfältigung oder Versendung ist \
strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail \
Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen \
diese E-Mail und vernichten alle Kopien. USt-IdNr.: DE290654714, Amtsgericht Koblenz, HRA \
21625."
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic