Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Open-Xchange Security Advisory 2021-04-30

Related Vulnerabilities: CVE-2020-28945   CVE-2020-28943   CVE-2020-28944  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="66"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#67">By Date</a>
<a href="68"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="66"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#67">By Thread</a>
<a href="68"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Open-Xchange Security Advisory 2021-04-30</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Martin Heiland via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Fri, 30 Apr 2021 09:40:06 +0200 (CEST)


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those 
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH



Product: OX App Suite / OX Guard
Vendor: OX Software GmbH



Affected product: OX App Suite
Internal reference: OXUIB-481
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev23, 7.10.4-rev14
Vendor notification: 2020-09-28
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28945
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
When searching for contacts in mobile mode (App Suite UI on a smartphone), specific fields of a contact object were not 
properly handled. This could lead to script execution in case the users search would yield contacts with malicious data.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the 
victim to execute a specific action.

Steps to reproduce:
1. Create a malicious contact which contains script-code as "position" or "company" value
2. Share the contact with the victim, for example within the same context or as vcard file
3. Make the victim search for this contact in mobile mode

Solution:
We improved how search results in mobile mode are being constructed and delivered, considering user-provided 
information as potentially malicious.



---



Affected product: OX App Suite
Internal reference: OXUIB-491
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev23, 7.10.4-rev14
Vendor notification: 2020-10-01
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28945
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
An undocumented component did not correctly handle user-generated content when displaying the information to a user.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the 
victim to follow a link provided by the attacker.

Steps to reproduce:
1. Create or upload a malicious "Notes" item
2. Share that item with a user within the same context and make them open it

Proof of concept:
xx ![](<a rel="nofollow" href="http://onerror=Function.constructor`\x61\x6c\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3b`.call``;//">http://onerror=Function.constructor`\x61\x6c\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3b`.call``;//</a> ) yy

Solution:
We disabled the ability to launch the undocumented component for the time being and therefore the risk of executing 
malicious content as code.



---



Affected product: OX App Suite
Internal reference: OXUIB-509
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev23, 7.10.4-rev14
Vendor notification: 2020-10-12
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28945
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Contact "distribution lists" can be created in a way that they contain script code which is being executed in 
"scheduling" view.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the 
victim to import data and/or execute a specific action.

Steps to reproduce:
1. Create a malicious distribution list where a member contains malicious script code as "common name"
2. Share the distribution list with the victim, for example within the same context or as vcard file
3. Make the victim add this distribution list to "scheduling" view in calendar

Proof of concept:
" " &lt;img/src='x'/onerror='alert(&amp;quot;XSS&amp;quot;)'/cut=@example.com&gt;

Solution:
We improved how the "scheduling" overview is being constructed and delivered, considering user-provided information as 
potentially malicious.



---



Affected product: OX App Suite
Internal reference: MWB-646
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev28, 7.10.4-rev14
Vendor notification: 2020-10-12
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28943
CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Vulnerability Details:
Snippets are used to temporarily store content for internal handling, for example when using mail signatures or E-Mail 
attachments while moving them to Drive ("managed files"). The identifier of those snippets could be defined via an API 
call and are being used as reference when retrieving the file from any of the caches. When timing this retrieval 
correctly and waiting for cache eviction and garbage collection, those snippets could be used to reference arbitrary 
network resources instead of a snippet content while moving the snipped back from the distributed to the local cache. 
Path traversal techniques could be used to escape the predefined valid URI for those snippets.

Risk:
Arbitrary network resources could be requested by a malicious user through the middleware, including those resources 
within a internal trust boundary where OX App Suite middleware operates. In case of web services, this could expose the 
response of the service to the user. Services that use authentication or do not respond to GET requests are not 
affected.

Steps to reproduce:
1. Create a snippet (e.g. image attachment) and use a malicious identifier
2. Wait for a couple of minutes until the snippet expires from the local map
3. Request the snippet to force it being requested from the distributed map and use the malicious reference

Solution:
We now use URI encoding when retrieving distributed managed files to avoid the ability to request resources out of 
scope for the application. Independent from this, we suggest operators to use existing Security Manager configuration 
to restrict network access of the middleware process to a reasonable scope.



---



Affected product: OX Guard
Internal reference: GUARD-228
Vulnerability type: Denial Of Service (CWE-400)
Vulnerable version: 2.10.4 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.10.3-rev8, 2.10.4-rev5
Vendor notification: 2020-11-02
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28944
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)

Vulnerability Details:
WKS is being used as an option to retrieve a users public key material for encrypted mail communication. In case an 
attacker would setup malicious WKS infrastrucutre, OX Guard can be tricked to keep connections open for a long period 
of time or process unusually large chunks of data.

Risk:
OX Guard nodes could be forced to exhaust system resources like network sockets, memory and connection pools. This 
would lead to temporary unavailability of the service.

Steps to reproduce:
1. Setup a malicious WKS service, that responds very slowly and/or with huge amounts of data
2. Add one or more E-Mail recipient in OX App Suite which domain is handled by this malicious WKS service

Solution:
We added timeouts for both size and total connection duration to avoid being stuck processing responses from malicious 
sources.
</pre><p><strong>Attachment:
<a href="att-67/signature_asc.bin"><tt>signature.asc</tt></a></strong>

<em>Description:</em> </p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="66"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#67">By Date</a>
<a href="68"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="66"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#67">By Thread</a>
<a href="68"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Open-Xchange Security Advisory 2021-04-30</strong> <em>Martin Heiland via Fulldisclosure (Apr 30)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started