Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Open-Xchange Security Advisory 2013-09-10

From: Martin Braun <martin.braun () open-xchange com>
Date: Tue, 10 Sep 2013 11:18:08 +0200 (CEST)
Product: Open-Xchange AppSuite
Vendor: Open-Xchange GmbH

Internal reference: 28260 (Bug ID)
Vulnerability type:  CWE-16: Configuration, CWE-287: Improper Authentication, CWE-200: Information Exposure
Vulnerable version: 7.0.0 to 7.2.2
Vulnerable component: backend (default configuration)
Fixed version: 7.0.2-rev15, 7.2.2-rev16
Solution status: Fixed by Vendor
Vendor notification: 2013-08-13
Solution date: 2013-08-27
Public disclosure: 2013-09-10
CVE reference: CVE-2013-5200
CVSSv2: 5.6 (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C/CDP:MH/TD:M/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Multiple vulnerabilities have been discovered regarding the Hazelcast based cluster API implementation at the 
Open-Xchange backend.
CWE-16 (Configuration): By default, the cluster implementation listens to all available network interfaces at port 
5701/tcp. This may include interfaces that are exposed to potentially hostile networks.
CWE-287 (Improper Authentication): By default, the REST and memcache interfaces do not require authentication to access 
the cluster API to gain or inject information. Joining potentially rogue nodes to the cluster using the native 
Hazelcast API is possible by using a hardcoded password that's exposed by the source code.
CWE-200 (Information Exposure): The cluster API exposes several critical information such as runtime data, network 
information. In cases where a distributed session storage is used, session information of logged in users may be 
accessed as well. Unnecessary APIs for memcache and REST are exposed.

Risk:
When running the Open-Xchange backend on a network that's directly attached to the Internet or other potentially 
hostile networks, an attacker may access and inject critical information. The exposed API could be used to influence 
systems availability by injecting arbitrary data or disconnect cluster nodes.

Steps to reproduce:
1. Use a Java, C#, REST or memcache client to access the Hazelcast API
2. Execute commands specified by the Hazelcast API documentation

Proof of concept:
The issue has been reproduced using various REST client calls. For example, use a HTTP GET request to gain network and 
status information about the cluster.

GET http://server:5701/hazelcast/rest/cluster/
Cluster [1] {
        Member [192.168.13.37]:5701 this
}
ConnectionCount: 1
AllConnectionCount: 1

Solution:
Update to 7.0.2-rev15 or 7.2.2-rev16
When operating any kind of network services, make sure to apply proper port filtering
Previous By Date Next
Previous By Thread Next

Current thread: