SEC Consult Vulnerability Lab Security Advisory < 20231128-0 >
=======================================================================
               title: Missing Certificate Validation & User Enumeration
             product: Anveo Mobile App and Server
  vulnerable version: Mobile App: 10.0.0.359 / 2016-07-13; Server: 11.0.0.5
       fixed version: -
          CVE number: -
              impact: Medium
            homepage: https://www.anveogroup.com/en/mobile-apps-for-dynamics/
               found: 2023-05-28
                  by: Daniel Hirschberger (Office Bochum)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Create your own individual Mobile App with Anveo. Our base, out of the box
solutions offer many useful functions, and can be flexibly adapted to your
requirements: the Anveo Service App, Anveo Sales App, and Anveo Delivery App.
You are looking for a mobile App for a different scenario? Not a problem with
the Anveo Mobile App Builder! Thanks to the toolkit character of the solution,
configuration of a completely new, custom App is simple."

Source: https://www.anveogroup.com/en/mobile-apps-for-dynamics/


Business recommendation:
------------------------
The vendor was unresponsive and did not reply to our communication attempts and even
deleted our comment to request a contact on LinkedIn, see the timeline section further
below.

There is no solution known to us for this security issue. In case you are a customer
of Anveo, request an update from them about the issue.

Furthermore, an in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from other security issues.


Vulnerability overview/description:
-----------------------------------
1) Missing Certificate Validation
The Windows application was tested which does not perform certificate validation
and is therefore vulnerable to man-in-the-middle attacks which might allow an
attacker to gain access to sensitive data.


2) User Enumeration
The login is vulnerable to user enumeration because the error message for a
non-existent user differs from the error message when a user exists. This allows
an attacker to perform targeted brute-force attacks and potentially take over
other user accounts.


Proof of concept:
-----------------
1) Missing Certificate Validation
The application does not validate the server certificate. To verify this,
a new self-signed certificate was created with the openssl commandline tool.

Afterwards, an openssl server was spawned with netcat:

[ POC removed]

When adding a new account in the application with the IP and port of this server,
a connection is attempted. Now a special string has to be sent from the netcat
listener to the client.

As a response, the client tries to authenticate against the server with the
username and password:

<img certificate_validation.png>

The part between <EOS> and <EOSC> can be base64-decoded and decompressed with
zlib which yields the following output:

[ POC removed ]

The "PW" Parameter contains the base64-encoded password, in this case "unknown".


2) User Enumeration
When a non-existent user tries to login, the error message shows "Cannot find
user":

<img user_nonexistent.png>

When a valid username but a wrong password is submitted, the server responds
with "Username or password is not correct":

<img user_exists.png>


Vulnerable / tested versions:
-----------------------------
The following version has been tested:
* Application version 10.0.0.359 / 2016-07-13 (the Windows version was tested)

The vendor did not respond to our communication attempts, hence it is unknown whether
further versions are affected as well.


Vendor contact timeline:
------------------------
2023-06-12: Contacting vendor through email info@AnveoGroup.com
             Asking for security contact, no response
2023-06-26: Contacting vendor through same email again, no response.
2023-07-24: Contacting vendor through technical support email support@AnveoGroup.com
             Asking for security contact again, no response.
2023-09-15: Contacting vendor again through info@AnveoGroup.com, support@AnveoGroup.com
             and datenschutz@AnveoGroup.com. Ticket got automatically created, but no
             response.
2023-09-19: Posted a message/comment on LinkedIn at Anveo Group to contact us. Besides a
             few profile views from employees (Team Lead Anveo Mobile App, Social Media
             Marketing, CEO) no response.
             Our comment then got deleted by Anveo Group.
             Comment:
             "Hi Anveo Group, we have been trying to reach your company since June through
             our responsible disclosure process as we have identified some security
             issues in your products. We never received any response via multiple email
             addresses (found on your website). Could you please get in touch with us and
             provide us with a person responsible for security? Thank you!"
2023-09-20: Contacting third party whether they received a patch; no response.
2023-10-09: Contacting again; no response.
2023-10-23: Contacting again; no response.
2023-11-17: Final attempt, asked third party for info again, tried to contact
             "support@anveogroup.com" through ticket again. No response from vendor, but
             third party replied, that they also did not receive any response from Anveo.
2023-11-28: Public release of security advisory.


Solution:
---------
The vendor was unresponsive and did not reply to our communication attempts and even
deleted our comment to request a contact on LinkedIn, see the timeline section.

There is no solution known to us for this security issue. In case you are a customer
of Anveo, request an update from them about the issue.

Furthermore, an in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from other security issues.


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2023