OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Open-Xchange Security Advisory 2013-09-10

From: Martin Braun (martin.braunopen-xchange.com)
Date: Tue Sep 10 2013 - 04:18:08 CDT


Product: Open-Xchange AppSuite
Vendor: Open-Xchange GmbH

Internal reference: 28260 (Bug ID)
Vulnerability type: CWE-16: Configuration, CWE-287: Improper Authentication, CWE-200: Information Exposure
Vulnerable version: 7.0.0 to 7.2.2
Vulnerable component: backend (default configuration)
Fixed version: 7.0.2-rev15, 7.2.2-rev16
Solution status: Fixed by Vendor
Vendor notification: 2013-08-13
Solution date: 2013-08-27
Public disclosure: 2013-09-10
CVE reference: CVE-2013-5200
CVSSv2: 5.6 (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C/CDP:MH/TD:M/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Multiple vulnerabilities have been discovered regarding the Hazelcast based cluster API implementation at the Open-Xchange backend.
CWE-16 (Configuration): By default, the cluster implementation listens to all available network interfaces at port 5701/tcp. This may include interfaces that are exposed to potentially hostile networks.
CWE-287 (Improper Authentication): By default, the REST and memcache interfaces do not require authentication to access the cluster API to gain or inject information. Joining potentially rogue nodes to the cluster using the native Hazelcast API is possible by using a hardcoded password that's exposed by the source code.
CWE-200 (Information Exposure): The cluster API exposes several critical information such as runtime data, network information. In cases where a distributed session storage is used, session information of logged in users may be accessed as well. Unnecessary APIs for memcache and REST are exposed.

Risk:
When running the Open-Xchange backend on a network that's directly attached to the Internet or other potentially hostile networks, an attacker may access and inject critical information. The exposed API could be used to influence systems availability by injecting arbitrary data or disconnect cluster nodes.

Steps to reproduce:
1. Use a Java, C#, REST or memcache client to access the Hazelcast API
2. Execute commands specified by the Hazelcast API documentation

Proof of concept:
The issue has been reproduced using various REST client calls. For example, use a HTTP GET request to gain network and status information about the cluster.

GET http://server:5701/hazelcast/rest/cluster/
Cluster [1] {
        Member [192.168.13.37]:5701 this
}
ConnectionCount: 1
AllConnectionCount: 1

Solution:
Update to 7.0.2-rev15 or 7.2.2-rev16
When operating any kind of network services, make sure to apply proper port filtering