title: Multiple vulnerabilities in CTERA Portal product: CTERA Portal
vulnerable version: 3.1 fixed version: 3.2 impact: Critical homepage: http://www.ctera.com found: 2013-02-04 by: Stefan Streichsbier SEC Consult Vulnerability Lab =======================================================================
CTERA Portal is a scalable cloud service delivery platform that enables the creation, delivery and management of cloud storage applications, including file sharing and sync, backup, and mobile collaboration.
Full details: http://www.ctera.com/products/products/ctera-portal-cloud-storage-delivery
By exploiting the XXE vulnerability, an unauthenticated attacker can get full read access to the filesystem of CTERA portal as root user and thus obtain sensitive information such as the root password hash from the /etc/shadow file, which, after being cracked in a short time, was revealed to be quite simple and presumably the same for all CTERA Portal installations. Furthermore, by default it is possible to login as the root user using SSH, which potentially allows attackers to fully take over unsecured CTERA Portal installations.
The recommendation of SEC Consult is to immediately upgrade to version 3.2 and secure the SSH service by only allowing public key authentication.
1.) Outdated Tomcat Version
The installed version of tomcat is outdated and several vulnerabilities are publicly known for it.
2.) Bypass of Temporary Account Locking
The main login functionality provides a security feature that temporarily locks the account after 5 failed authentication attempts. This can be bypassed by using the WEBDAV functionality which relies on HTTP Basic Authentication.
3.) Permanent Cross Site Scripting
4.) XML External Entity Injection
The used XML parser is resolving XML external entities which allows attackers to read files and send requests to systems on the internal network (e.g port scanning). The risk of this vulnerability is dramatically increased by the fact that it can be exploited by anonymous users without existing accounts and that the Tomcat server and thus the XML parser is running as root user. Attackers are able to read the root password hash from /etc/shadow and crack it within minutes. If the default SSH service configuration has not been secured, attackers can subsequently login to the CTERA portal via SSH as the root user and fully take over control of the system.
Due to the potential impact, no proof-of-concepts are disclosed.
2013-02-26: Affected client sent report with vulnerability descriptions to vendor. 2013 March-May: Vulnerabilities have been analysed and a timeline for releasing patches has been scheduled. First round of patches has been published. 2013-06-05: SEC Consult releases coordinated security advisory.
Upgrade to version 3.2 and configure public-key-only authentication for SSH.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab
SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15
Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult
Secure your WordPress with MVIS Security Center! https://www.sec-consult.com/en/Portfolio/Services/MVIS-Security-Center.htm
EOF Stefan Streichsbier / @2013