Open-Xchange Security Advisory 2013-09-10

Type securityvulns
Reporter Securityvulns
Modified 2013-10-01T00:00:00


Product: Open-Xchange AppSuite Vendor: Open-Xchange GmbH

Internal reference: 28260 (Bug ID) Vulnerability type: CWE-16: Configuration, CWE-287: Improper Authentication, CWE-200: Information Exposure Vulnerable version: 7.0.0 to 7.2.2 Vulnerable component: backend (default configuration) Fixed version: 7.0.2-rev15, 7.2.2-rev16 Solution status: Fixed by Vendor Vendor notification: 2013-08-13 Solution date: 2013-08-27 Public disclosure: 2013-09-10 CVE reference: CVE-2013-5200 CVSSv2: 5.6 (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C/CDP:MH/TD:M/CR:ND/IR:ND/AR:ND)

Vulnerability Details: Multiple vulnerabilities have been discovered regarding the Hazelcast based cluster API implementation at the Open-Xchange backend. CWE-16 (Configuration): By default, the cluster implementation listens to all available network interfaces at port 5701/tcp. This may include interfaces that are exposed to potentially hostile networks. CWE-287 (Improper Authentication): By default, the REST and memcache interfaces do not require authentication to access the cluster API to gain or inject information. Joining potentially rogue nodes to the cluster using the native Hazelcast API is possible by using a hardcoded password that's exposed by the source code. CWE-200 (Information Exposure): The cluster API exposes several critical information such as runtime data, network information. In cases where a distributed session storage is used, session information of logged in users may be accessed as well. Unnecessary APIs for memcache and REST are exposed.

Risk: When running the Open-Xchange backend on a network that's directly attached to the Internet or other potentially hostile networks, an attacker may access and inject critical information. The exposed API could be used to influence systems availability by injecting arbitrary data or disconnect cluster nodes.

Steps to reproduce: 1. Use a Java, C#, REST or memcache client to access the Hazelcast API 2. Execute commands specified by the Hazelcast API documentation

Proof of concept: The issue has been reproduced using various REST client calls. For example, use a HTTP GET request to gain network and status information about the cluster.

GET http://server:5701/hazelcast/rest/cluster/ Cluster [1] { Member []:5701 this } ConnectionCount: 1 AllConnectionCount: 1

Solution: Update to 7.0.2-rev15 or 7.2.2-rev16 When operating any kind of network services, make sure to apply proper port filtering