Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Open-Xchange Security Advisory 2020-08-20

Related Vulnerabilities: CVE-2020-12646   CVE-2020-12645   CVE-2020-12643   CVE-2020-12644   CVE-2020-8542  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#14">By Date</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#14">By Thread</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Open-Xchange Security Advisory 2020-08-20</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Open-Xchange GmbH via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Thu, 20 Aug 2020 08:09:49 +0200


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those 
vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
  Martin Heiland, Open-Xchange GmbH



Product: OX App Suite / OX Documents
Vendor: OX Software GmbH



Internal reference: MWB-70 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-07
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: raiz_
CVE reference: CVE-2020-12646
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Our script filters did not consider the ancient media-type "text/x-javascript" as potentially malicious, however Google 
Chrome executes content of this type as script code.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which 
could be achieved through social engineering.

Steps to reproduce:
1. Upload a code snippet to Drive and modify its media-type
2. Share the file publicly and make a user open this link
3. Next, make the user visit a direct API reference to the file and add "delivery=view" as API parameter

Solution:
We improved our filter to consider this media-type.



---



Internal reference: MWB-107 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.1 to 7.10.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: Osama Hamad Shehab
CVE reference: CVE-2020-12645
CVSS: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
When using OX App Suite for authentication directly, a login "rate-limit" is applied. This could be circumvented by 
exploiting logic issues when handling the clients user-agent string.

Risk:
Brute-force attempts could be made using large quantities of arbitrary passwords to discover account credentials. While 
this attack would be quite noisy it's possible that it may not get noticed on unmonitored systems. The attacker would 
still hit the generic API request limit at some point.

Steps to reproduce:
1. Use the /login API and send login attempts until the rate-limit hits
2. Modify the user-agent string
3. Return login attempts

Solution:
We fixed the logic dealing with buckets of login processes to discover such attempts and correctly apply rate limiting.



---



Internal reference: MWB-108 (Bug ID)
Vulnerability type: Access Control Bypass (CWE-639)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: kattsson
CVE reference: CVE-2020-12643
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Incorrect permission checks were performed when requesting other users "snippets". This can be used to discover E-Mail 
addresses of external accounts.

Risk:
Potentially sensitive information about other users can be discovered and used for further attacks. Access is limited 
to users within the same context.

Steps to reproduce:
1. Use the /api/subscriptions API and request arbitrary subscription IDs for other user IDs
2. If a combination of user ID and subscription ID matches, metadata about a subscription would be returned

Solution:
We improved permissions checks in this area to limit exposure of information.



---



Internal reference: MWB-120 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-27
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: kattsson
CVE reference: CVE-2020-12645
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Vulnerability Details:
Vacation notices could be used to send E-Mail with arbitrary sender information.

Risk:
Malicious users could set up vacation notices that send E-Mail responses with a forged sender address. Depending on the 
egress MTA configuration this can be used for impersonification.

Steps to reproduce:
1. Create vacation notice and modify the "From" attribute by changing the API request
2. Make someone send E-Mail to this account or forge a "reply-to" header
3. E-Mail will be sent using illegitimate sender information

Solution:
We applied the same checks for vacation notices as we're using for regular user mail operations.



---



Internal reference: MWB-190 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-03-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: Alexey Petrenko
CVE reference: CVE-2020-12646
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Our script filters did not consider the media-type "text/rdf" as potentially malicious, however Mozilla Firefox 
executes content of this type as script code.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which 
could be achieved through social engineering.

Steps to reproduce:
1. Upload a code snippet to Drive and modify its media-type
2. Share the file publicly and make a user open this link
3. Next, make the user visit a direct API reference to the file and add "delivery=view" as API parameter

Solution:
We improved our filter to consider this media-type.



---



Internal reference: MWB-221 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2019-04-06
Solution date: 2020-05-13
Public disclosure: 2020-08-20
CVE reference: CVE-2020-12645
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Vulnerability Details:
The /apps/load endpoint is used to pre-load various resources for optimized transfer. It's parameters can be abused to 
process content multiple times.

Risk:
Depending on the environments memory configuration and the amount of requested content, memory exhaustion can be 
triggered, leading to temporary unavailability of one or more nodes.

Steps to reproduce:
1. Use the /apps/load API endpoint and supply up to 254 content references
2. Repeat and/or run this request in parallel

Solution:
We removed duplicate content from the request and make sure none is processed twice. Since only limited options for 
content exist we expect this to mitigate the attack vector.



---



Internal reference: MWB-226 (Bug ID)
Vulnerability type: Server-side request forgery (CWE-918)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2019-04-07
Solution date: 2020-05-13
Public disclosure: 2020-08-20
CVE reference: CVE-2020-12644
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The mail account API can be used to inject references to internal network topology when updating existing accounts and 
subsequent requests would trigger network connections.

Risk:
Based on the response and timing of those connections and attacker can gain insight to internal network topology and 
configuration. This bypasses the existing blacklist.

Steps to reproduce:
1. Add a new external mail account using a legitimate IMAP server
2. Modify this accounts configuration and add a reference to an internal host
3. Use the /folder/list API to trigger a account refresh

Solution:
We now reject adding blacklisted network endpoints also when updating the account configuration.



---



Internal reference: DOCS-1844 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: office-web, frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev63, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev10
Vendor notification: 2019-03-06
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: chbi
CVE reference: CVE-2020-8542
CVSS: 2.2 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
When pasting text from a native source to a OX Documents file, script code embedded within the paste content would be 
executed. This is related to a recent library update.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which 
could be achieved through social engineering.

Steps to reproduce:
1. Create a legitimate looking text documents and hide JS code within it
2. Make a user copy text from a native source (e.g. text file) and paste it to OX Documents

Solution:
We updated DOMpurify to a version which solves this vulnerability.



---



Internal reference: DOCS-1886, OXUIB-158 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: office-web, frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev63, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev10
Vendor notification: 2019-03-18
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: chbi
CVE reference: CVE-2020-12646
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Script code embedded to PDF files could be executed when using documents preview.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which 
could be achieved through social engineering. To trigger the vulnerable code a specific content-security-policy 
(worker-src blob:) is required.

Steps to reproduce:
1. Create a malicious PDF file containing script code
2. Send and make a user open this file using preview

Solution:
We updated PDF.js to a version which solves this vulnerability.

</pre><p><strong>Attachment:
<a href="att-14/signature_asc.bin"><tt>signature.asc</tt></a></strong>

<em>Description:</em> Message signed with OpenPGP</p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#14">By Date</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#14">By Thread</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Open-Xchange Security Advisory 2020-08-20</strong> <em>Open-Xchange GmbH via Fulldisclosure (Aug 21)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started