[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] OXAS-ADV-2023-0002: OX App Suite Security Advisory
From: Martin Heiland via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2023-06-20 8:00:32
Message-ID: 1980149580.1187.1687248032304 () appsuite-guard ! open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dear subscribers,
We're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX \
AppSuite, Dovecot and PowerDNS at YesWeHack.
This advisory has also been published at \
https://documentation.open-xchange.com/security/advisories/.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Internal reference: MWB-1994
Type: CWE-922 (Insecure Storage of Sensitive Information)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39
First fixed revision: OX App Suite backend 7.10.6-rev40
Discovery date: 2023-01-09
Solution date: 2023-03-10
Disclosure date: 2023-06-20
Researcher credits: Tim 'foobar7' Coen
CVE: CVE-2023-26427
CVSS: 3.2 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N)
Details:
Weak default permissions for noreply.properties. Default permissions for a properties file were \
too permissive.
Risk:
Local system users could read potentially sensitive information. No publicly available exploits \
are known.
Solution:
We updated the default permissions for noreply.properties set during package installation.
---
Internal reference: MWB-2008
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39, OX App Suite backend 8.9
First fixed revision: OX App Suite backend 7.10.6-rev40, OX App Suite backend 8.10
Discovery date: 2023-01-17
Solution date: 2023-03-10
Disclosure date: 2023-06-20
Researcher credits: Tim 'foobar7' Coen
CVE: CVE-2023-26428
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Details:
Access to other users signatures is not checked. Attackers can successfully request arbitrary \
snippet IDs, including E-Mail signatures of other users within the same context.
Risk:
Signatures of other users could be read even though they are not explicitly shared. No publicly \
available exploits are known.
Solution:
We improved permission handling when requesting snippets that are not explicitly shared with \
other users.
---
Internal reference: MWB-2019
Type: CWE-77 (Improper Neutralization of Special Elements used in a Command ('Command \
Injection'))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39, OX App Suite backend 8.10
First fixed revision: OX App Suite backend 7.10.6-rev40, OX App Suite backend 8.11
Discovery date: 2023-01-23
Solution date: 2023-03-09
Disclosure date: 2023-06-20
Researcher credits: Tim 'foobar7' Coen
CVE: CVE-2023-26429
CVSS: 3.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N)
Details:
User-feedback not sanitized for control characters. Control characters were not removed when \
exporting user feedback content.
Risk:
This allowed attackers to include unexpected content via user feedback and potentially break \
the exported data structure. No publicly available exploits are known.
Solution:
We now drop all control characters that are not whitespace character during the export.
---
Internal reference: MWB-2038
Type: CWE-918 (Server-Side Request Forgery (SSRF))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39, OX App Suite backend 8.10
First fixed revision: OX App Suite backend 7.10.6-rev40, OX App Suite backend 8.11
Discovery date: 2023-02-07
Solution date: 2023-03-16
Disclosure date: 2023-06-20
Researcher credits: Mehmet 'mdisec' Ince
CVE: CVE-2023-26431
CVSS: 5.0 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Details:
SSRF through bypassing denylists via IPV4-mapped IPv6 addresses. IPv4-mapped IPv6 addresses did \
not get recognized as "local" by the code and a connection attempt is made.
Risk:
Attackers with access to user accounts could use this to bypass existing deny-list \
functionality and trigger requests to restricted network infrastructure to gain insight about \
topology and running services. No publicly available exploits are known.
Solution:
We now respect possible IPV4-mapped IPv6 addresses when checking if contained in a deny-list.
---
Internal reference: MWB-2046
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39, OX App Suite backend 8.10
First fixed revision: OX App Suite backend 7.10.6-rev40, OX App Suite backend 8.11
Discovery date: 2023-02-13
Solution date: 2023-03-13
Disclosure date: 2023-06-20
CVE: CVE-2023-26432
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Details:
SMTP capabilities allow excessive memory usage. When adding an external mail account, \
processing of SMTP "capabilities" responses are not limited to plausible sizes.
Risk:
Attacker with access to a rogue SMTP service could trigger requests that lead to excessive \
resource usage and eventually service unavailability. No publicly available exploits are known.
Solution:
We now limit accepted SMTP server response to reasonable length/size.
---
Internal reference: MWB-2047
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39, OX App Suite backend 8.10
First fixed revision: OX App Suite backend 7.10.6-rev40, OX App Suite backend 8.11
Discovery date: 2023-02-13
Solution date: 2023-03-13
Disclosure date: 2023-06-20
CVE: CVE-2023-26433
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Details:
IMAP capabilities allow excessive memory usage. When adding an external mail account, \
processing of IMAP "capabilities" responses are not limited to plausible sizes.
Risk:
Attacker with access to a rogue IMAP service could trigger requests that lead to excessive \
resource usage and eventually service unavailability. No publicly available exploits are known.
Solution:
We now limit accepted IMAP server response to reasonable length/size.
---
Internal reference: MWB-2048
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39
First fixed revision: OX App Suite backend 7.10.6-rev40
Discovery date: 2023-02-13
Solution date: 2023-03-13
Disclosure date: 2023-06-20
CVE: CVE-2023-26434
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Details:
POP3 capabilities allow excessive memory usage. When adding an external mail account, \
processing of POP3 "capabilities" responses are not limited to plausible sizes.
Risk:
Attacker with access to a rogue POP3 service could trigger requests that lead to excessive \
resource usage and eventually service unavailability. No publicly available exploits are known.
Solution:
We now limit accepted POP3 server response to reasonable length/size.
---
Internal reference: DOCS-4662
Type: CWE-918 (Server-Side Request Forgery (SSRF))
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 7.10.6-rev7
First fixed revision: OX App Suite office 7.10.6-rev8
Discovery date: 2023-01-09
Solution date: 2023-03-13
Disclosure date: 2023-06-20
Researcher credits: Icare
CVE: CVE-2023-26435
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Details:
SSRF using ODT files and "draw" XML fragments. It was possible to call filesystem and network \
references using the local LibreOffice instance using manipulated ODT documents.
Risk:
Attackers could discover restricted network topology and services as well as including local \
files with read permissions of the open-xchange system user. This was limited to specific \
file-types, like images. No publicly available exploits are known.
Solution:
We have improved existing content filters and validators to avoid including any local \
resources.
---
Internal reference: DOCS-4701
Type: CWE-94 (Improper Control of Generation of Code ('Code Injection'))
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 7.10.6-rev7
First fixed revision: OX App Suite office 7.10.6-rev8
Discovery date: 2023-02-03
Solution date: 2023-03-13
Disclosure date: 2023-06-20
Researcher credits: Mehmet 'mdisec' Ince
CVE: CVE-2023-26436
CVSS: 8.3 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Details:
Insecure Deserialization on documentconverterws API lead to Remote Code Execution. Attackers \
with access to the "documentconverterws" API were able to inject serialized Java objects, that \
were not properly checked during deserialization. Access to this API endpoint is restricted to \
local networks by default.
Risk:
Arbitrary code could be injected that is being executed when processing the request. No \
publicly available exploits are known.
Solution:
A check has been introduced to restrict processing of legal and expected classes for this API. \
We now log a warning in case there are attempts to inject illegal classes.
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic