[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open-Xchange Security Advisory 2013-09-10

To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Open-Xchange Security Advisory 2013-09-10
From: Martin Braun <martin.braun@xxxxxxxxxxxxxxxx>
Date: Tue, 10 Sep 2013 11:18:08 +0200 (CEST)

Product: Open-Xchange AppSuite
Vendor: Open-Xchange GmbH

Internal reference: 28260 (Bug ID)
Vulnerability type:  CWE-16: Configuration, CWE-287: Improper Authentication, 
CWE-200: Information Exposure
Vulnerable version: 7.0.0 to 7.2.2
Vulnerable component: backend (default configuration)
Fixed version: 7.0.2-rev15, 7.2.2-rev16
Solution status: Fixed by Vendor
Vendor notification: 2013-08-13
Solution date: 2013-08-27
Public disclosure: 2013-09-10
CVE reference: CVE-2013-5200
CVSSv2: 5.6 
(AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C/CDP:MH/TD:M/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Multiple vulnerabilities have been discovered regarding the Hazelcast based 
cluster API implementation at the Open-Xchange backend.
CWE-16 (Configuration): By default, the cluster implementation listens to all 
available network interfaces at port 5701/tcp. This may include interfaces that 
are exposed to potentially hostile networks.
CWE-287 (Improper Authentication): By default, the REST and memcache interfaces 
do not require authentication to access the cluster API to gain or inject 
information. Joining potentially rogue nodes to the cluster using the native 
Hazelcast API is possible by using a hardcoded password that's exposed by the 
source code.
CWE-200 (Information Exposure): The cluster API exposes several critical 
information such as runtime data, network information. In cases where a 
distributed session storage is used, session information of logged in users may 
be accessed as well. Unnecessary APIs for memcache and REST are exposed.

Risk:
When running the Open-Xchange backend on a network that's directly attached to 
the Internet or other potentially hostile networks, an attacker may access and 
inject critical information. The exposed API could be used to influence systems 
availability by injecting arbitrary data or disconnect cluster nodes.

Steps to reproduce:
1. Use a Java, C#, REST or memcache client to access the Hazelcast API
2. Execute commands specified by the Hazelcast API documentation

Proof of concept:
The issue has been reproduced using various REST client calls. For example, use 
a HTTP GET request to gain network and status information about the cluster.

GET http://server:5701/hazelcast/rest/cluster/
Cluster [1] {
        Member [192.168.13.37]:5701 this
}
ConnectionCount: 1
AllConnectionCount: 1

Solution:
Update to 7.0.2-rev15 or 7.2.2-rev16
When operating any kind of network services, make sure to apply proper port 
filtering

Prev by Date: Multiple vulnerabilities on D-Link Dir-505 devices
Next by Date: [ MDVSA-2013:228 ] cacti
Previous by thread: Multiple vulnerabilities on D-Link Dir-505 devices
Next by thread: [ MDVSA-2013:228 ] cacti
Index(es):
- Date
- Thread