[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple exposures in Sophos UTM
- To: fulldisclosure@xxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, webappsec@xxxxxxxxxxxxxxxxx
- Subject: Multiple exposures in Sophos UTM
- From: Tim Schughart <t.schughart@xxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Sep 2016 11:33:31 +0200 (CEST)
Hello @all,
together with my colleague we found two uncritical vulnerabilities you'll find
below.
Product: Sophos UTM
Vendor: Sophos ltd.
Internal reference: ? (Bug ID)
Vulnerability type: Information Disclosure
Vulnerable version: 9.405-5, 9.404-5 and possible other versions affected (not
tested)
Vulnerable component: Frontend
Report confidence: yes
Solution status: Not fixed by Vendor, no further responses from vendor.
Fixed versions: -
Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks
Vendor notification: 2016-09-01
Solution date: -
Public disclosure: 2016-09-30
CVE reference: CVE-2016-7397
CVSSv3: 6.7 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Report timeline:
2016-09-01: Contacted Vendor, vendor acknowledged, no further response
2016-09-12: Contacted Vendor again, started to fix
2016-09-30: Contacted Vendor again, because there has been no response to our
request and our initial told disclosing date, no response again.
2016-09-30: Public Disclosure.
Vulnerability Details:
The password is reflected to DOM and is readable through the "value" field of
the SMTP user settings in notifications tab. You have to be authenticated to
access the configuration tab.
Risk:
An attacker gets access to the configured mailbox. Because of Sophos UTM is a
multi user system, this is a problem in bigger company environments with
splitted admin rights. The surface scope is changed, because in bigger
environments you are getting access to the configured mailbox, which results in
an integrity loss.
Steps to reproduce:
See vulnerability details.
--
Product: Sophos UTM
Vendor: Sophos ltd.
Internal reference: ? (Bug ID)
Vulnerability type: Information Disclosure
Vulnerable version: 9.405-5, 9.404-5 and possible other versions affected (not
tested)
Vulnerable component: Frontend
Report confidence: ?
Solution status: Not fixed by Vendor
Fixed versions: -
Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks
Vendor notification: 2016-09-01
Solution date: -
Public disclosure: 2016-10-01
CVE reference: CVE-2016-7442
CVSSv3: 6.7 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Vulnerability Details:
The password is reflected to DOM and is readable through the "value" field of
the proxy user settings in the system settings / scan settings / anti spam. You
have to be authenticated to access the configuration tab.
Risk:
An attacker gets access to the configured proxy user. Because of Sophos UTM is
a multi user system, this is a problem in bigger company environments with
splitted admin rights. The surface scope is changed, because in bigger
environments you are getting access to the configured proxy user, which results
in an privilege escalation.
Steps to reproduce:
See vulnerability details.
Best regards / Mit freundlichen Grüßen
Tim Schughart
CEO / Geschäftsführer
--
ProSec Networks e.K.
Ellingshohl 82
56077 Koblenz
Website: https://www.prosec-networks.com
E-Mail: t.schughart@xxxxxxxxxxxxxxxxxxx
Mobile: +49 (0)157 7901 5826
Phone: +49 (0)261 450 930 90
"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY
PROTECTED information and is intended only for the named recipient(s). Any
unauthorized use, dissemination, copying or forwarding is strictly prohibited.
If you are not the intended recipient and have received this email
communication in error, please notify the sender immediately, delete it and
destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz,
HRA 21625.“
"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE
und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich
für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe,
Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht
der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten
haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und
vernichten alle Kopien. USt-IdNr.: DE290654714, Amtsgericht Koblenz, HRA
21625."