what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OX App Suite SSRF / Resource Consumption / Command Injection

OX App Suite SSRF / Resource Consumption / Command Injection
Posted Jun 22, 2023
Authored by Mehmet Ince, Martin Heiland, Tim Coen, Icare

OX App Suite suffers from server-side request forgery, command injection, uncontrolled resource consumption, code injection, authorization bypass, and insecure storage vulnerabilities. Various versions in the 7.10.x and 8.x branches are affected.

tags | advisory, vulnerability
advisories | CVE-2023-26427, CVE-2023-26428, CVE-2023-26429, CVE-2023-26431, CVE-2023-26432, CVE-2023-26433, CVE-2023-26434, CVE-2023-26435, CVE-2023-26436
SHA-256 | a27979ae3ae36aed54def31f404e98c49b579e2113420246b0b046bb9f32e18d

OX App Suite SSRF / Resource Consumption / Command Injection

Change Mirror Download
Internal reference: MWB-1994
Type: CWE-922 (Insecure Storage of Sensitive Information)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39
First fixed revision: OX App Suite backend 7.10.6-rev40
Discovery date: 2023-01-09
Solution date: 2023-03-10
Disclosure date: 2023-06-20
Researcher credits: Tim 'foobar7' Coen
CVE: CVE-2023-26427
CVSS: 3.2 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N)

Details:
Weak default permissions for noreply.properties. Default permissions for a properties file were too permissive.

Risk:
Local system users could read potentially sensitive information. No publicly available exploits are known.

Solution:
We updated the default permissions for noreply.properties set during package installation.



---



Internal reference: MWB-2008
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39, OX App Suite backend 8.9
First fixed revision: OX App Suite backend 7.10.6-rev40, OX App Suite backend 8.10
Discovery date: 2023-01-17
Solution date: 2023-03-10
Disclosure date: 2023-06-20
Researcher credits: Tim 'foobar7' Coen
CVE: CVE-2023-26428
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Details:
Access to other users signatures is not checked. Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context.

Risk:
Signatures of other users could be read even though they are not explicitly shared. No publicly available exploits are known.

Solution:
We improved permission handling when requesting snippets that are not explicitly shared with other users.



---



Internal reference: MWB-2019
Type: CWE-77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39, OX App Suite backend 8.10
First fixed revision: OX App Suite backend 7.10.6-rev40, OX App Suite backend 8.11
Discovery date: 2023-01-23
Solution date: 2023-03-09
Disclosure date: 2023-06-20
Researcher credits: Tim 'foobar7' Coen
CVE: CVE-2023-26429
CVSS: 3.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N)

Details:
User-feedback not sanitized for control characters. Control characters were not removed when exporting user feedback content.

Risk:
This allowed attackers to include unexpected content via user feedback and potentially break the exported data structure. No publicly available exploits are known.

Solution:
We now drop all control characters that are not whitespace character during the export.



---



Internal reference: MWB-2038
Type: CWE-918 (Server-Side Request Forgery (SSRF))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39, OX App Suite backend 8.10
First fixed revision: OX App Suite backend 7.10.6-rev40, OX App Suite backend 8.11
Discovery date: 2023-02-07
Solution date: 2023-03-16
Disclosure date: 2023-06-20
Researcher credits: Mehmet 'mdisec' Ince
CVE: CVE-2023-26431
CVSS: 5.0 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Details:
SSRF through bypassing denylists via IPV4-mapped IPv6 addresses. IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made.

Risk:
Attackers with access to user accounts could use this to bypass existing deny-list functionality and trigger requests to restricted network infrastructure to gain insight about topology and running services. No publicly available exploits are known.

Solution:
We now respect possible IPV4-mapped IPv6 addresses when checking if contained in a deny-list.



---



Internal reference: MWB-2046
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39, OX App Suite backend 8.10
First fixed revision: OX App Suite backend 7.10.6-rev40, OX App Suite backend 8.11
Discovery date: 2023-02-13
Solution date: 2023-03-13
Disclosure date: 2023-06-20
CVE: CVE-2023-26432
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:
SMTP capabilities allow excessive memory usage. When adding an external mail account, processing of SMTP "capabilities" responses are not limited to plausible sizes.

Risk:
Attacker with access to a rogue SMTP service could trigger requests that lead to excessive resource usage and eventually service unavailability. No publicly available exploits are known.

Solution:
We now limit accepted SMTP server response to reasonable length/size.



---



Internal reference: MWB-2047
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39, OX App Suite backend 8.10
First fixed revision: OX App Suite backend 7.10.6-rev40, OX App Suite backend 8.11
Discovery date: 2023-02-13
Solution date: 2023-03-13
Disclosure date: 2023-06-20
CVE: CVE-2023-26433
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:
IMAP capabilities allow excessive memory usage. When adding an external mail account, processing of IMAP "capabilities" responses are not limited to plausible sizes.

Risk:
Attacker with access to a rogue IMAP service could trigger requests that lead to excessive resource usage and eventually service unavailability. No publicly available exploits are known.

Solution:
We now limit accepted IMAP server response to reasonable length/size.



---



Internal reference: MWB-2048
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev39
First fixed revision: OX App Suite backend 7.10.6-rev40
Discovery date: 2023-02-13
Solution date: 2023-03-13
Disclosure date: 2023-06-20
CVE: CVE-2023-26434
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:
POP3 capabilities allow excessive memory usage. When adding an external mail account, processing of POP3 "capabilities" responses are not limited to plausible sizes.

Risk:
Attacker with access to a rogue POP3 service could trigger requests that lead to excessive resource usage and eventually service unavailability. No publicly available exploits are known.

Solution:
We now limit accepted POP3 server response to reasonable length/size.



---



Internal reference: DOCS-4662
Type: CWE-918 (Server-Side Request Forgery (SSRF))
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 7.10.6-rev7
First fixed revision: OX App Suite office 7.10.6-rev8
Discovery date: 2023-01-09
Solution date: 2023-03-13
Disclosure date: 2023-06-20
Researcher credits: Icare
CVE: CVE-2023-26435
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Details:
SSRF using ODT files and "draw" XML fragments. It was possible to call filesystem and network references using the local LibreOffice instance using manipulated ODT documents.

Risk:
Attackers could discover restricted network topology and services as well as including local files with read permissions of the open-xchange system user. This was limited to specific file-types, like images. No publicly available exploits are known.

Solution:
We have improved existing content filters and validators to avoid including any local resources.



---



Internal reference: DOCS-4701
Type: CWE-94 (Improper Control of Generation of Code ('Code Injection'))
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 7.10.6-rev7
First fixed revision: OX App Suite office 7.10.6-rev8
Discovery date: 2023-02-03
Solution date: 2023-03-13
Disclosure date: 2023-06-20
Researcher credits: Mehmet 'mdisec' Ince
CVE: CVE-2023-26436
CVSS: 8.3 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Details:
Insecure Deserialization on documentconverterws API lead to Remote Code Execution. Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default.

Risk:
Arbitrary code could be injected that is being executed when processing the request. No publicly available exploits are known.

Solution:
A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes.
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    31 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close