[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Open-Xchange Security Advisory 2020-08-20
From: Open-Xchange GmbH via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2020-08-20 6:09:49
Message-ID: A0FD6085-E706-4C7A-BE26-3810AA93B34F () open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App \
Suite, Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite / OX Documents
Vendor: OX Software GmbH
Internal reference: MWB-70 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-07
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: raiz_
CVE reference: CVE-2020-12646
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Our script filters did not consider the ancient media-type "text/x-javascript" as potentially \
malicious, however Google Chrome executes content of this type as script code.
Risk:
Malicious script code can be executed within a users context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (sending mail, deleting data \
etc.). To exploit this an additional step is necessary which could be achieved through social \
engineering.
Steps to reproduce:
1. Upload a code snippet to Drive and modify its media-type
2. Share the file publicly and make a user open this link
3. Next, make the user visit a direct API reference to the file and add "delivery=view" as API \
parameter
Solution:
We improved our filter to consider this media-type.
---
Internal reference: MWB-107 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.1 to 7.10.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: Osama Hamad Shehab
CVE reference: CVE-2020-12645
CVSS: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
When using OX App Suite for authentication directly, a login "rate-limit" is applied. This \
could be circumvented by exploiting logic issues when handling the clients user-agent string.
Risk:
Brute-force attempts could be made using large quantities of arbitrary passwords to discover \
account credentials. While this attack would be quite noisy it's possible that it may not get \
noticed on unmonitored systems. The attacker would still hit the generic API request limit at \
some point.
Steps to reproduce:
1. Use the /login API and send login attempts until the rate-limit hits
2. Modify the user-agent string
3. Return login attempts
Solution:
We fixed the logic dealing with buckets of login processes to discover such attempts and \
correctly apply rate limiting.
---
Internal reference: MWB-108 (Bug ID)
Vulnerability type: Access Control Bypass (CWE-639)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: kattsson
CVE reference: CVE-2020-12643
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
Incorrect permission checks were performed when requesting other users "snippets". This can be \
used to discover E-Mail addresses of external accounts.
Risk:
Potentially sensitive information about other users can be discovered and used for further \
attacks. Access is limited to users within the same context.
Steps to reproduce:
1. Use the /api/subscriptions API and request arbitrary subscription IDs for other user IDs
2. If a combination of user ID and subscription ID matches, metadata about a subscription would \
be returned
Solution:
We improved permissions checks in this area to limit exposure of information.
---
Internal reference: MWB-120 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-27
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: kattsson
CVE reference: CVE-2020-12645
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Vulnerability Details:
Vacation notices could be used to send E-Mail with arbitrary sender information.
Risk:
Malicious users could set up vacation notices that send E-Mail responses with a forged sender \
address. Depending on the egress MTA configuration this can be used for impersonification.
Steps to reproduce:
1. Create vacation notice and modify the "From" attribute by changing the API request
2. Make someone send E-Mail to this account or forge a "reply-to" header
3. E-Mail will be sent using illegitimate sender information
Solution:
We applied the same checks for vacation notices as we're using for regular user mail \
operations.
---
Internal reference: MWB-190 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-03-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: Alexey Petrenko
CVE reference: CVE-2020-12646
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Our script filters did not consider the media-type "text/rdf" as potentially malicious, however \
Mozilla Firefox executes content of this type as script code.
Risk:
Malicious script code can be executed within a users context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (sending mail, deleting data \
etc.). To exploit this an additional step is necessary which could be achieved through social \
engineering.
Steps to reproduce:
1. Upload a code snippet to Drive and modify its media-type
2. Share the file publicly and make a user open this link
3. Next, make the user visit a direct API reference to the file and add "delivery=view" as API \
parameter
Solution:
We improved our filter to consider this media-type.
---
Internal reference: MWB-221 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2019-04-06
Solution date: 2020-05-13
Public disclosure: 2020-08-20
CVE reference: CVE-2020-12645
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Vulnerability Details:
The /apps/load endpoint is used to pre-load various resources for optimized transfer. It's \
parameters can be abused to process content multiple times.
Risk:
Depending on the environments memory configuration and the amount of requested content, memory \
exhaustion can be triggered, leading to temporary unavailability of one or more nodes.
Steps to reproduce:
1. Use the /apps/load API endpoint and supply up to 254 content references
2. Repeat and/or run this request in parallel
Solution:
We removed duplicate content from the request and make sure none is processed twice. Since only \
limited options for content exist we expect this to mitigate the attack vector.
---
Internal reference: MWB-226 (Bug ID)
Vulnerability type: Server-side request forgery (CWE-918)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2019-04-07
Solution date: 2020-05-13
Public disclosure: 2020-08-20
CVE reference: CVE-2020-12644
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
The mail account API can be used to inject references to internal network topology when \
updating existing accounts and subsequent requests would trigger network connections.
Risk:
Based on the response and timing of those connections and attacker can gain insight to internal \
network topology and configuration. This bypasses the existing blacklist.
Steps to reproduce:
1. Add a new external mail account using a legitimate IMAP server
2. Modify this accounts configuration and add a reference to an internal host
3. Use the /folder/list API to trigger a account refresh
Solution:
We now reject adding blacklisted network endpoints also when updating the account \
configuration.
---
Internal reference: DOCS-1844 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: office-web, frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev63, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev10
Vendor notification: 2019-03-06
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: chbi
CVE reference: CVE-2020-8542
CVSS: 2.2 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
When pasting text from a native source to a OX Documents file, script code embedded within the \
paste content would be executed. This is related to a recent library update.
Risk:
Malicious script code can be executed within a users context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (sending mail, deleting data \
etc.). To exploit this an additional step is necessary which could be achieved through social \
engineering.
Steps to reproduce:
1. Create a legitimate looking text documents and hide JS code within it
2. Make a user copy text from a native source (e.g. text file) and paste it to OX Documents
Solution:
We updated DOMpurify to a version which solves this vulnerability.
---
Internal reference: DOCS-1886, OXUIB-158 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: office-web, frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev63, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev10
Vendor notification: 2019-03-18
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: chbi
CVE reference: CVE-2020-12646
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code embedded to PDF files could be executed when using documents preview.
Risk:
Malicious script code can be executed within a users context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (sending mail, deleting data \
etc.). To exploit this an additional step is necessary which could be achieved through social \
engineering. To trigger the vulnerable code a specific content-security-policy (worker-src \
blob:) is required.
Steps to reproduce:
1. Create a malicious PDF file containing script code
2. Send and make a user open this file using preview
Solution:
We updated PDF.js to a version which solves this vulnerability.
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/DJIVnUkbbTwb+C5luURj3jLBMcFAl8+E60ACgkQluURj3jL
BMdH8w//apMQm/HYBmGhjW1i5tJYCGhy2yj9JcYWgB+KF3S7lYqy8Nlk/R6jcmMz
6ZfoRiCOigepQ3X/8MYc8GFhgA9IK2xTGWGR5QWyIFyR1Rf2e4aUPStgW3JWPUXD
ilTnRJKfGSimv4LNcbVO4ZF4We5MRZtnQKwOfE2VHfO0ickF7cOoYUrgpERDRzqv
Wsi12FSFIu8/mwM4XsMTxVuJLzKoCIWpeFfuRb+//SLa4kyZvuGtDNNy9C9EbXhL
G3/NjC+3OPi+rZRChjZLHnYrwk9kOIg5ryPi3izyN+ifDvw7cbxo3JjA4oa42b0L
E0RlfPjQy1zYLkFryoVxbDtdX5Mrn33jvN61EG2WFLgsgJ7mkh5QzSxSElMavdKA
vYvIDhrvW4VMkdP5+Ox5EjlmuI1Owc0OkVGlJUXa/1cdSza97biFD/r8WYhtWXSy
P7cshX9bfSnphoP5ToTwS5g8BFQa/gS6eKgB4jvs4pgVPQBSG2gfaEe3znTxF8qB
fo/QVkQ2lHm0juz5FFQk3whADxKCFVlXby6h+mYud/863IsBSp3MdLhtwRYNB5lX
5RaoJdDLaSsSo62NGECEeWgYSk3g8c0Wp3I2kwcCj5rY8dFnNUUwXrWB2nqAVC8N
pEmp7mp5j9yEs3OWrS7jYFP7a7+b0JpILLJvTmT9ksPNjw/KOqM=
=T4P1
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic