what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Sophos Mobile Control 3.5.0.3 Open Reverse Proxy

Sophos Mobile Control 3.5.0.3 Open Reverse Proxy
Posted Aug 5, 2016
Authored by Tim Kretschmann

Sophos EAS Proxy is part of the Enterprise Mobility Management (EMM) platform Sophos Mobile Control, which allows control of mail access for managed mobile devices. Anonymous attackers can access any web-resources of the backend mail system like Microsoft Exchange or IBM Domino, if Lotus Traveler option is enabled. Brute force attacks against users in the backend mail system are also possible. Version 3.5.0.3 is affected.

tags | exploit, web
advisories | CVE-2016-6597
SHA-256 | 13292e8189bb32eb950d3a3ed393223e5c68751d34f25e1d5312f596b3dfaf82

Sophos Mobile Control 3.5.0.3 Open Reverse Proxy

Change Mirror Download
Application: Sophos Mobile Control EAS Proxy
Versions Affected: 3.5.0.3
Vendor URL: https://www.sophos.com/
Bugs: Open Reverse Proxy
Sent: 30.06.2016
Reported: 05.07.2016
Vendor response: 13.07.2016
Published BugFix by vendor: 28.07.2016
Date of Public Advisory: 05.08.2016
Reference: Sophos Case #6061906
Author: Tim Kretschmann (Pallas GmbH)
Version and State of report: 0.9 ? PrePublic


Description


1. ADVISORY INFORMATION

Title: Sophos Mobile Control EAS Proxy Open Reverse Proxy vulnerability
Risk: high
Advisory URL:
https://www.pallas.com/advisories/sophos_eas_open_reverse_proxy_vulnerability
Date published: 05.08.2016
Vendors contacted: Sophos


2. VULNERABILITY INFORMATION

Impact: access to any web-resources of the backend mail system, if Lotus
Traveler option is enabled
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-6597
CVSS Base Score v2: 8.6 / 10
CVSS Base Vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N


3. VULNERABILITY DESCRIPTION

Sophos EAS Proxy is part of the Enterprise Mobility Management (EMM)
platform Sophos Mobile Control, which allows control of mail access for
managed mobile devices.
Anonymous attackers can access any web-resources of the backend mail
system like Microsoft Exchange or IBM Domino, if Lotus Traveler option is
enabled. Brute force attacks against users in the backend mail system are
also possible.


4. VULNERABLE PACKAGES

Sophos Mobile Control EAS Proxy Version 3.5.0.3
Other versions are probably affected too, but they were not checked.


5. SOLUTIONS AND WORKAROUNDS

Solution: Update to ?Sophos Mobile Control EAS Proxy 6.2.0.exe?
Workaround: Disable Lotus Traveler Option if possible, limit access on
web-resources of backend mail system


6. AUTHOR

Tim Kretschmann (Pallas GmbH)


7. TECHNICAL DESCRIPTION

Proof of Concept for IBM Domino
https://<PublicIP_of_EASProxy>:<Port_of_EASProxy>/da.nsf
https://<PublicIP_of_EASProxy>:<Port_of_EASProxy>/dba4.nsf
https://<PublicIP_of_EASProxy>:<Port_of_EASProxy>/homepage.nsf


8. ABOUT Pallas GmbH

Pallas GmbH, located in Germany, provides managed and hosting services
with focus on Security.
Adress: Pallas GmbH, Hermuelheimer Str. 8a, 50321 Bruehl, GERMANY
Phone: 0049.2232.18960




Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close