Open-Xchange Security Advisory 2020-02-19

[Open-Xchange GmbH via Fulldisclosure <fulldisclosure () seclists org>]

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those 
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite Dovecot and PowerDNS at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH



Product: OX App Suite / OX Documents
Vendor: OX Software GmbH

Internal reference: 67871, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
The attachment API for Calendar, Tasks etc. allows to define references to E-Mail attachments that should be added. 
This reference was not checked against a sufficient protocol and host blacklist.

Risk:
Users can trigger API calls that invoke local files or URLs. Content provided by these resources would be added as 
attachment.

Steps to reproduce:
1. Create a task
2. Use the /ajax/attachment?action=attach API call and provide a URL
    "datasource": {
        "identifier": "com.openexchange.url.mail.attachment",
        "url": "file:///var/file"
    }

Solution:
We have implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.



---



Internal reference: 67874 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The RSS feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host 
blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the 
whitelist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned 
compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a RSS feed
2. Use http://127.0.0.1.nip.io:80/test.xml as RSS feed
3. Monitor the response code

Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please 
consider adjusting com.openexchange.messaging.rss.feed.blacklist to you network layout.



---



Internal reference: 67931, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-04
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The snippets API allows to add arbitrary data sources. This reference was not checked against a sufficient protocol and 
host blacklist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned 
compared to unavailable hosts. This can be used to discover an internal network topology, services and files.

Steps to reproduce:
1. Create a snippet with HTML content
2. Include a reference to an internal host/service
<img src="http://localhost:22/badboy";>
3. Monitor the response code

Solution:
We implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.



---



Internal reference: 67980 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The mail accounts feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a 
host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed 
the whitelist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned 
compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a mail account
2. Use 127.0.0.1:143 as IMAP server
3. Monitor the network socket

Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please 
consider adjusting com.openexchange.mail.account.blacklist to you network layout.



---



Internal reference: 67983 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2
Vulnerable component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.2-rev4
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Recent versions of OX Documents allow to invoke images from URL sources. Since no sufficient blacklist was in place, 
this allows to make the server-side request arbitrary image resources.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned 
compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a OX Documents document
2. Insert an image from URL and specify a local address, like http://127.0.0.1/test.jpg
3. Monitor the response code

Solution:
We implemented a host blacklist to avoid invoking any local addresses and operator-defined network blocks. Please 
consider adjusting com.openexchange.office.upload.blacklist to you network layout.



---



Internal reference: 68252 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev10, 7.10.1-rev5, 7.10.2-rev6
Vendor notification: 2019-11-15
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Documentconverter can be used to convert "remote" URLs to return images. The source for those URLs was not checked 
against a blacklist.

Risk:
Local resources like images or websites could be invoked by end-users and expose their content through the generated 
image.

Steps to reproduce:
1. Create a document and use a image "from URL"
2. Enter a URL that redirects to the local documentconverter instance which again contains a reference to a local 
resource
http%3A//localhost%3A8008/documentconverterws%3Faction%3Dconvert%26url%3Dhttp%253A//localhost/%26targetformat%3Dpng

Solution:
We now reject redirects and check provided URLs against blacklists and protocol whitelists.



---



Internal reference: 68136 (Bug ID)
Vulnerability type: Missing escaping (CWE-116)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev6, 7.10.1-rev4, 7.10.2-rev3
Vendor notification: 2019-11-11
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-9853 (LibreOffice)
CVSS: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Vulnerability Details:
We have backported recent updates of LibreOffice, which is being used by readerengine. This fixes a potential 
vulnerabilities which are not directly related to readerengine.

Risk:
Existing vulnerabilities at upstream projects could be used in context of OX App Suite / OX Documents. This is an 
update based on precaution.

Steps to reproduce:
1. n/a

Solution:
n/a

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/