'[FD] Open-Xchange Security Advisory 2022-09-01'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Open-Xchange Security Advisory 2022-09-01
From:       Martin Heiland via Fulldisclosure <fulldisclosure () seclists ! org>
Date:       2022-09-01 8:18:47
Message-ID: 1656323692.8207.1662020327384 () appsuite-guard ! open-xchange ! com
[Download RAW message or body]

[Attachment #2 (multipart/signed)]

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX \
AppSuite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
  Martin Heiland, Open-Xchange GmbH

Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: MWB-1540
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.324
Vendor notification: 2022-03-30
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-29852
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
The output filter mechanism for binary data can be confused by using unknown media-types. Some \
valid image formats were not part of our deny-list that handles potentially harmful content. \
Attackers can generate, upload and share malicious JS code, disguised as the BMFreehand10 or \
image/x-freehand image file format. This format is not detected and therefore no download gets \
enforced. Some browsers may attempt to render its content "inline".

Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require access to the same OX App Suite \
instance and the victim to follow a hyperlink.

Solution:
We improved content detection to include previously unknown media-types.

---

Internal reference: MWB-1572
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0
Vendor notification: 2022-04-20
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-29853
CVSS: 4.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Malicious HTML content at E-Mail can be abused to bypass existing content sanitization \
mechanisms. In this case an attacker adds junk code to force the "Show entire message" feature \
for huge HTML mails to generate malicious output. This involves a complex hierarchy of HTML \
elements and event handlers that confuse existing sanitization logic.

Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require access to the same OX App Suite \
instance and the victim to follow a hyperlink.

Solution:
We improved detection and handling of such huge HTML blocks to make sure no malicious content \
is returned to the client.

---

Internal reference: MWB-1602
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0
Vendor notification: 2022-04-20
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-31468
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Content stored in attachments or OX Drive content can be requested by the client using "len" \
and "off" parameters. Malicious HTML content is filtered however this filter does not apply to \
all kind of HTML tags and allows to extract malicious code using the mentioned parameters.

Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require access to the same OX App Suite \
instance and the victim to follow a hyperlink.

Solution:
We improved detection and handling of malicious HTML content that is requested via offset and \
length parameters.

---

Internal reference: DOCS-4428
Vulnerability type: OS Command Injection (CWE-78)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev5, 7.10.6-rev5
Vendor notification: 2022-04-19
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-29851
CVSS: 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)

Vulnerability Details:
In case an instance running documentconverter (readerengine) has non-default ghostscript (gs) \
utility installed, it may get invoked when converting EPS files that are disguised as PDF \
files. Ghostscript suffers from a range of vulnerabilities, some of which could be exploited \
via readerengine. While most are non-deterministic and cannot be used to inflict relevant \
damage, few may be used to execute code fragments, embedded in EPS files, on the target \
instance.

Risk:
Unauthorized code may be executed with persmissions of the "open-xchange" user on readerengine \
instances if additional software packages like gs are installed. We urge customers to apply \
best-practice system hardening, which includes removal of unused components.

Solution:
We removed a fallback to use external commands for processing EPS and other file formats.

[Attachment #5 (application/pgp-signature)]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 