[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Open-Xchange Security Advisory 2014-09-15
- To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: Open-Xchange Security Advisory 2014-09-15
- From: Martin Heiland <martin.heiland@xxxxxxxxxxxxxxxx>
- Date: Mon, 15 Sep 2014 08:59:48 +0200 (CEST)
Product: OX App Suite
Vendor: Open-Xchange GmbH
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: frontend
Fixed version: 7.4.2-rev33, 7.6.0-rev16
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-19
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5235
OX bug reference: 33620
CVSSv2: 5.7
(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
CDATA encapsulated script code within certain fields of a RSS feeds gets
executed by the frontend.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Solution:
RSS feeds now get sanitized more carefully. Users should update to the latest
patch releases. Users should avoid integrating untrusted or suspicious RSS
feeds.
Vulnerability type: Absolute Path Traversal (CWE-36)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: documentconverter
Fixed version: 7.4.2-rev10, 7.6.0-rev10
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5236
OX bug reference: 33834
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 7.4
(AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
Crafted OLE Objects within OpenDocument Text files can be used to reference
objects with absolute or relative paths. By using further modifications to the
documents XML structure, existing security functions of the LibreOffice backend
get bypassed. As a result, the referenced file gets included from the servers
file system.
Risk:
Attackers may read configuration files located at the server where
documentconverter is deployed. Since documentconverter runs with reduced
permissions, this is valid for all files that can be read by the user group
"open-xchange".
Solution:
A black- and whitelist has been introduced to control file access. Users should
update to the latest patch releases.
Vulnerability type: Absolute Path Traversal (CWE-36)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: documentconverter
Fixed version: 7.4.2-rev10, 7.6.0-rev10
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5236
OX bug reference: 33835
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 7.4
(AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
Crafted images within OpenDocument Text files can be used to reference objects
with absolute or relative paths. As a result, the referenced file gets included
from the servers file system.
Risk:
If an attacker knows the correct path to image files at the server where
documentconverter is deployed, those can be made available to the attacker.
Usually no security-related images are stored within deployments. Content of
the OX Drive storage could be referenced but since the storage is separated to
context- and user-bucket specific, hashed paths, it's unlikely for an attacker
to successfully referencing such files. Including many files may pose a risk of
denial-of-service attacks, though.
Solution:
A black- and whitelist has been introduced to control file access. Users should
update to the latest patch releases.
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: documentconverter
Fixed version: 7.4.2-rev10, 7.6.0-rev10
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5237
OX bug reference: 33836
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 4.4
(AV:N/AC:L/Au:M/C:P/I:N/A:N/E:F/RL:U/RC:C/CDP:MH/TD:M/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
Text documents allow embedding remote images, based on URLs provided by the
document creator. When editing such a document within OX Text, the image gets
requested by the users client, which is fine. However, when rendering previews
of such images, the file gets requested by the server, introducing a SSRF
attack vector.
Risk:
Malicious documents could be used to fetch lots of images from a specific host,
leading to denial-of-service attacks. Also, content may get fetched from
legally questionable sources, potentially putting the operator of the
documentconverter into legal trouble.
Solution:
Outbound traffic of a documentconverter deployment should be controlled on a
network level, if an operator does not wish to let users include external
resources and use them when generating document previews. Users should update
to the latest patch releases. A new black- and whitelist has been introduced to
control access to remote resources.
Vulnerability type: Improper Restriction of Recursive Entity References in DTDs
(CWE-776)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: office
Fixed version: 7.4.2-rev11, 7.6.0-rev9
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5238
OX bug reference: 33838
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 7.4
(AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
Since OpenDocument Text documents are XML files, external entities may get
included to these files. The XML parser tries to resolve these external
entities by expanding them (XEE), for example including files or running
specific XML parser functions. There are several attack vectors, for example
including local files from the OX Text deployment or creating malicious
documents that use exponential entity expansion (XEEE). Such exponential
entities can be used to create huge documents based on very few lines of XML
code.
Risk:
By using an XEE attack, introducing the XML "SYSTEM" entity and absolute or
relative paths, the referenced file gets included from the servers file system.
As a result, the whole file is visible at the OX Text editor. XEEE attacks can
be used to run denial-of-service attacks to the deployment by creating vastly
complex XML files that take a lot of time to process.
Solution:
DOCTYPE within ODT files is now forbidden and therefor external or special
entities cannot get included anymore. Users should update to the latest patch
releases.
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: backend
Fixed version: 7.4.2-rev33, 7.6.0-rev16
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5234
OX bug reference: 33839
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 5.7
(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
Arbitrary script code can be used as folder publication name, leading to code
execution at clients that display such publications.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Solution:
Publications now get sanitized more carefully. Users should update to the
latest patch releases.