Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who
contributed in finding and solving those vulnerabilities. Feel free to join our
bug bounty programs for OX AppSuite Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite / OX Documents
Vendor: OX Software GmbH
Internal reference: 67871, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Vulnerability Details:
The attachment API for Calendar, Tasks etc. allows to define references to
E-Mail attachments that should be added. This reference was not checked against
a sufficient protocol and host blacklist.
Risk:
Users can trigger API calls that invoke local files or URLs. Content provided
by these resources would be added as attachment.
Steps to reproduce:
1. Create a task
2. Use the /ajax/attachment?action=attach API call and provide a URL
"datasource": {
"identifier": "com.openexchange.url.mail.attachment",
"url": "file:///var/file"
}
Solution:
We have implemented a protocol and host blacklist to avoid invoking any
file-system references and local addresses.
---
Internal reference: 67874 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
The RSS feature allows to add arbitrary data sources. To avoid exposing
confidential data we implemented a host blacklist and protocol whitelist. Due
to an error the host blacklist was not checked in case the protocol passed the
whitelist.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a
different error will be returned compared to unavailable hosts. This can be
used to discover an internal network topology and services.
Steps to reproduce:
1. Create a RSS feed
2. Use http://127.0.0.1.nip.io:80/test.xml as RSS feed
3. Monitor the response code
Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts
regardless of the port evaluation. Please consider adjusting
com.openexchange.messaging.rss.feed.blacklist to you network layout.
---
Internal reference: 67931, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-04
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
The snippets API allows to add arbitrary data sources. This reference was not
checked against a sufficient protocol and host blacklist.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a
different error will be returned compared to unavailable hosts. This can be
used to discover an internal network topology, services and files.
Steps to reproduce:
1. Create a snippet with HTML content
2. Include a reference to an internal host/service
<img src="http://localhost:22/badboy";>
3. Monitor the response code
Solution:
We implemented a protocol and host blacklist to avoid invoking any file-system
references and local addresses.
---
Internal reference: 67980 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
The mail accounts feature allows to add arbitrary data sources. To avoid
exposing confidential data we implemented a host blacklist and protocol
whitelist. Due to an error the host blacklist was not checked in case the
protocol passed the whitelist.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a
different error will be returned compared to unavailable hosts. This can be
used to discover an internal network topology and services.
Steps to reproduce:
1. Create a mail account
2. Use 127.0.0.1:143 as IMAP server
3. Monitor the network socket
Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts
regardless of the port evaluation. Please consider adjusting
com.openexchange.mail.account.blacklist to you network layout.
---
Internal reference: 67983 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2
Vulnerable component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.2-rev4
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
Recent versions of OX Documents allow to invoke images from URL sources. Since
no sufficient blacklist was in place, this allows to make the server-side
request arbitrary image resources.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a
different error will be returned compared to unavailable hosts. This can be
used to discover an internal network topology and services.
Steps to reproduce:
1. Create a OX Documents document
2. Insert an image from URL and specify a local address, like
http://127.0.0.1/test.jpg
3. Monitor the response code
Solution:
We implemented a host blacklist to avoid invoking any local addresses and
operator-defined network blocks. Please consider adjusting
com.openexchange.office.upload.blacklist to you network layout.
---
Internal reference: 68252 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev10, 7.10.1-rev5, 7.10.2-rev6
Vendor notification: 2019-11-15
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
Documentconverter can be used to convert "remote" URLs to return images. The
source for those URLs was not checked against a blacklist.
Risk:
Local resources like images or websites could be invoked by end-users and
expose their content through the generated image.
Steps to reproduce:
1. Create a document and use a image "from URL"
2. Enter a URL that redirects to the local documentconverter instance which
again contains a reference to a local resource
http%3A//localhost%3A8008/documentconverterws%3Faction%3Dconvert%26url%3Dhttp%253A//localhost/%26targetformat%3Dpng
Solution:
We now reject redirects and check provided URLs against blacklists and protocol
whitelists.
---
Internal reference: 68136 (Bug ID)
Vulnerability type: Missing escaping (CWE-116)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev6, 7.10.1-rev4, 7.10.2-rev3
Vendor notification: 2019-11-11
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-9853 (LibreOffice)
CVSS: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vulnerability Details:
We have backported recent updates of LibreOffice, which is being used by
readerengine. This fixes a potential vulnerabilities which are not directly
related to readerengine.
Risk:
Existing vulnerabilities at upstream projects could be used in context of OX
App Suite / OX Documents. This is an update based on precaution.
Steps to reproduce:
1. n/a
Solution:
n/a
Attachment:
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/