OXAS-ADV-2023-0002: OX App Suite Security Advisory

Publisher: OX Software GmbH Publication Date: 2023-06-20
Current version: 1 Status: final
Severity: High

References

Vulnerabilities

Weak default permissions for noreply.properties (CVE-2023-26427)

 Description

Default permissions for a properties file were too permissive.

Internal reference: MWB-1994
CWE: CWE-922: Insecure Storage of Sensitive Information
Discovery date: 2023-01-09

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev39 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N 3.2

Remediations

Vendor fix (2023-03-10)

We updated the default permissions for noreply.properties set during package installation.

For products:

Acknowledgments

Threats

Exploit status

No publicly available exploits are known.

Impact

Local system users could read potentially sensitive information.

Access to other users signatures is not checked (CVE-2023-26428)

 Description

Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context.

Internal reference: MWB-2008
CWE: CWE-639: Authorization Bypass Through User-Controlled Key
Discovery date: 2023-01-17

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev39 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 6.5
OX App Suite backend 8.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 6.5

Remediations

Vendor fix (2023-03-10)

We improved permission handling when requesting snippets that are not explicitly shared with other users.

For products:

Acknowledgments

Threats

Exploit status

No publicly available exploits are known.

Impact

Signatures of other users could be read even though they are not explicitly shared.

User-feedback not sanitized for control characters (CVE-2023-26429)

 Description

Control characters were not removed when exporting user feedback content.

Internal reference: MWB-2019
CWE: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Discovery date: 2023-01-23

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev39 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N 3.5
OX App Suite backend 8.10 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N 3.5

Remediations

Vendor fix (2023-03-09)

We now drop all control characters that are not whitespace character during the export.

For products:

Acknowledgments

Threats

Exploit status

No publicly available exploits are known.

Impact

This allowed attackers to include unexpected content via user feedback and potentially break the exported data structure.

SSRF through bypassing denylists via IPV4-mapped IPv6 addresses (CVE-2023-26431)

 Description

IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made.

Internal reference: MWB-2038
CWE: CWE-918: Server-Side Request Forgery (SSRF)
Discovery date: 2023-02-07

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev39 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 5.0
OX App Suite backend 8.10 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 5.0

Remediations

Vendor fix (2023-03-16)

We now respect possible IPV4-mapped IPv6 addresses when checking if contained in a deny-list.

For products:

Acknowledgments

Threats

Exploit status

No publicly available exploits are known.

Impact

Attackers with access to user accounts could use this to bypass existing deny-list functionality and trigger requests to restricted network infrastructure to gain insight about topology and running services.

SMTP capabilities allow excessive memory usage (CVE-2023-26432)

 Description

When adding an external mail account, processing of SMTP "capabilities" responses are not limited to plausible sizes.

Internal reference: MWB-2046
CWE: CWE-400: Uncontrolled Resource Consumption
Discovery date: 2023-02-13

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev39 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 4.3
OX App Suite backend 8.10 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 4.3

Remediations

Vendor fix (2023-03-13)

We now limit accepted SMTP server response to reasonable length/size.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

Attacker with access to a rogue SMTP service could trigger requests that lead to excessive resource usage and eventually service unavailability.

IMAP capabilities allow excessive memory usage (CVE-2023-26433)

 Description

When adding an external mail account, processing of IMAP "capabilities" responses are not limited to plausible sizes.

Internal reference: MWB-2047
CWE: CWE-400: Uncontrolled Resource Consumption
Discovery date: 2023-02-13

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev39 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 4.3
OX App Suite backend 8.10 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 4.3

Remediations

Vendor fix (2023-03-13)

We now limit accepted IMAP server response to reasonable length/size.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

Attacker with access to a rogue IMAP service could trigger requests that lead to excessive resource usage and eventually service unavailability.

POP3 capabilities allow excessive memory usage (CVE-2023-26434)

 Description

When adding an external mail account, processing of POP3 "capabilities" responses are not limited to plausible sizes.

Internal reference: MWB-2048
CWE: CWE-400: Uncontrolled Resource Consumption
Discovery date: 2023-02-13

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev39 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 4.3

Remediations

Vendor fix (2023-03-13)

We now limit accepted POP3 server response to reasonable length/size.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

Attacker with access to a rogue POP3 service could trigger requests that lead to excessive resource usage and eventually service unavailability.

SSRF using ODT files and "draw" XML fragments (CVE-2023-26435)

 Description

It was possible to call filesystem and network references using the local LibreOffice instance using manipulated ODT documents.

Internal reference: DOCS-4662
CWE: CWE-918: Server-Side Request Forgery (SSRF)
Discovery date: 2023-01-09

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite office 7.10.6-rev7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 5.0

Remediations

Vendor fix (2023-03-13)

We have improved existing content filters and validators to avoid including any local resources.

For products:

Acknowledgments

Threats

Exploit status

No publicly available exploits are known.

Impact

Attackers could discover restricted network topology and services as well as including local files with read permissions of the open-xchange system user. This was limited to specific file-types, like images.

Insecure Deserialization on documentconverterws API lead to Remote Code Execution (CVE-2023-26436)

 Description

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default.

Internal reference: DOCS-4701
CWE: CWE-94: Improper Control of Generation of Code ('Code Injection')
Discovery date: 2023-02-03

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite office 7.10.6-rev7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 8.3

Remediations

Vendor fix (2023-03-13)

A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes.

For products:

Acknowledgments

Threats

Exploit status

No publicly available exploits are known.

Impact

Arbitrary code could be injected that is being executed when processing the request.