[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Open-Xchange Security Advisory 2020-02-19
From: Open-Xchange GmbH via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2020-02-19 13:40:37
Message-ID: 7DE9A7CA-7E1A-4D75-BF7B-E7EB74A00D42 () open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX \
AppSuite Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite / OX Documents
Vendor: OX Software GmbH
Internal reference: 67871, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Vulnerability Details:
The attachment API for Calendar, Tasks etc. allows to define references to E-Mail attachments \
that should be added. This reference was not checked against a sufficient protocol and host \
blacklist.
Risk:
Users can trigger API calls that invoke local files or URLs. Content provided by these \
resources would be added as attachment.
Steps to reproduce:
1. Create a task
2. Use the /ajax/attachment?action=attach API call and provide a URL
"datasource": {
"identifier": "com.openexchange.url.mail.attachment",
"url": "file:///var/file"
}
Solution:
We have implemented a protocol and host blacklist to avoid invoking any file-system references \
and local addresses.
---
Internal reference: 67874 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
The RSS feature allows to add arbitrary data sources. To avoid exposing confidential data we \
implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not \
checked in case the protocol passed the whitelist.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error \
will be returned compared to unavailable hosts. This can be used to discover an internal \
network topology and services.
Steps to reproduce:
1. Create a RSS feed
2. Use http://127.0.0.1.nip.io:80/test.xml as RSS feed
3. Monitor the response code
Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port \
evaluation. Please consider adjusting com.openexchange.messaging.rss.feed.blacklist to you \
network layout.
---
Internal reference: 67931, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-04
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
The snippets API allows to add arbitrary data sources. This reference was not checked against a \
sufficient protocol and host blacklist.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error \
will be returned compared to unavailable hosts. This can be used to discover an internal \
network topology, services and files.
Steps to reproduce:
1. Create a snippet with HTML content
2. Include a reference to an internal host/service
<img src="http://localhost:22/badboy">
3. Monitor the response code
Solution:
We implemented a protocol and host blacklist to avoid invoking any file-system references and \
local addresses.
---
Internal reference: 67980 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
The mail accounts feature allows to add arbitrary data sources. To avoid exposing confidential \
data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist \
was not checked in case the protocol passed the whitelist.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error \
will be returned compared to unavailable hosts. This can be used to discover an internal \
network topology and services.
Steps to reproduce:
1. Create a mail account
2. Use 127.0.0.1:143 as IMAP server
3. Monitor the network socket
Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port \
evaluation. Please consider adjusting com.openexchange.mail.account.blacklist to you network \
layout.
---
Internal reference: 67983 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2
Vulnerable component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.2-rev4
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
Recent versions of OX Documents allow to invoke images from URL sources. Since no sufficient \
blacklist was in place, this allows to make the server-side request arbitrary image resources.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error \
will be returned compared to unavailable hosts. This can be used to discover an internal \
network topology and services.
Steps to reproduce:
1. Create a OX Documents document
2. Insert an image from URL and specify a local address, like http://127.0.0.1/test.jpg
3. Monitor the response code
Solution:
We implemented a host blacklist to avoid invoking any local addresses and operator-defined \
network blocks. Please consider adjusting com.openexchange.office.upload.blacklist to you \
network layout.
---
Internal reference: 68252 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev10, 7.10.1-rev5, 7.10.2-rev6
Vendor notification: 2019-11-15
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
Documentconverter can be used to convert "remote" URLs to return images. The source for those \
URLs was not checked against a blacklist.
Risk:
Local resources like images or websites could be invoked by end-users and expose their content \
through the generated image.
Steps to reproduce:
1. Create a document and use a image "from URL"
2. Enter a URL that redirects to the local documentconverter instance which again contains a \
reference to a local resource \
http%3A//localhost%3A8008/documentconverterws%3Faction%3Dconvert%26url%3Dhttp%253A//localhost/%26targetformat%3Dpng
Solution:
We now reject redirects and check provided URLs against blacklists and protocol whitelists.
---
Internal reference: 68136 (Bug ID)
Vulnerability type: Missing escaping (CWE-116)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev6, 7.10.1-rev4, 7.10.2-rev3
Vendor notification: 2019-11-11
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-9853 (LibreOffice)
CVSS: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vulnerability Details:
We have backported recent updates of LibreOffice, which is being used by readerengine. This \
fixes a potential vulnerabilities which are not directly related to readerengine.
Risk:
Existing vulnerabilities at upstream projects could be used in context of OX App Suite / OX \
Documents. This is an update based on precaution.
Steps to reproduce:
1. n/a
Solution:
n/a
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/DJIVnUkbbTwb+C5luURj3jLBMcFAl5NOtUACgkQluURj3jL
BMcu+g/9FNbXh5g5FKkTAvidZOvMBr4QVUyRYwKBRgGEEHCIRpwtFyEGsuPqCsez
mHEEvkaBM3Ezot94U0pul9ZMh2VpZmH06sDaP/MVWuMFWxB1aBm+N/iSNA2BQryN
FB6ipP+eMv9tRT6eWNmMupeH9a2JZO455k5fiLcd0sFvYUOt72Y2GbDgge5gJrCs
xDsr6KOml/TUQVEm+Gem230GqmBQ8EgYBrOXfe/+mnCPYm5seQM8NWJA8HVW4kOD
5KYYFmMsKnWrTDPyzhuK5YutIShD1Ic+l033XRGrWbkhFddYM5kRtbPfyOLldkWK
aVHkaeIT48+8lkdHDN87wpyeYhZQwNaFwhdWA6gob6X28YDDRv4omqmuv8YI1cv6
Oa93xfeLICSr05y2i+VT4tFv+yeUeDdAbHYa+ULvJpzxRQxk5wXdYdzHQKCSznJN
XztjpmAAR08g+lqMofYI1eIZGCieX60mle0Z/OmXu3c66bPFlqh1wykIhLY4yT7R
HAhCf/WY3CBnlPbPNcuV2afHxE1zRSY8mJKU/E2jlVhF39fIbYb23/3/ZvCjkMVq
11aOZAIvJmtU3r612dd28FqgdJxq/wwMNe3o9Xt8hbcu5Fyze4oXqe49uhMUUeW0
kk/U15EexirfACCDico1UTb3+3cGTucUYc1T3cSG/73ms8tVkSs=
=zWk6
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic