Open-Xchange Security Advisory 2013-07-31
Product: Open-Xchange AppSuite
Vendor: Open-Xchange GmbH
Internal reference: 27473 (Bug ID)
Vulnerability type: Phishing / Data injection
Vulnerable version: 7.2.2 and earlier
Vulnerable component: backend
Fixed version: 7.2.2-rev9, 7.2.1-rev10, 7.2.0-rev11, 7.0.2-rev14
Solution status: Fixed by Vendor
Vendor notification: 2013-07-11
Solution date: 2013-07-18
Public disclosure: 2013-07-31
CVE reference: CVE-2013-4790
CVSSv2: 5.1 (AV:N/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:=
ND/AR:ND)
Vulnerability Details:
To provide easy integration of third party mail accounts, Open-Xchange uses=
several auto-discovery features. Besides a generic lookup for most promine=
nt mail providers, information of existing external mail accounts of other =
users, including users from other contexts, is used to discover potential m=
ail server settings. To validate the discovered settings, a login attempt i=
s performed at the discovered mail server. This attack becomes possible if =
the victim is using OX AppSuite UI, using the OX6 UI does not trigger this =
vulnerability.
Risk:
An attacker can inject incorrect host information for popular mail services=
by providing misleading server settings. These settings are then used to a=
utomatically validate other users external mail accounts which includes tra=
nsferring their external mail accounts login name and password. An attacker=
can potentially intercept user credentials for external mail accounts by l=
ogging all authentication data sent to the rogue IMAP server.
Steps to reproduce:
As User A (attacker)
1. Login
2. Switch to Settings -> Mail and Social accounts
3. Add a new mail account, use "manual mode"
4. Enter foo@my-mail-host.io as mail address, the attackers evil IMAP serve=
rs IP or hostname as server name and provide valid credentials for that evi=
l server
5. Save the account
As User B (victim)
1. Login
2. Switch to Settings -> Mail and Social accounts
3. Add a new mail account, use "automatic mode"
4. Enter "bar@my-mail-host.io" as address and provide your password
5. Save
Proof of concept:
A login request is performed at the evil IMAP server, not at the domain rel=
ated to the entered mail address.
92.224.190.xxx =3D OX server
37.235.49.xxx =3D Evil IMAP server
#
T 92.224.190.xxx:40622 -> 37.235.49.xxx:143 [A]
.F#...7......(..}.....hK..%...N..{dp..."45._r.....4>......v.=E2=80=8B.Zs8=
....C(..D.I.V..3..YboF...... =
=
=20
######
T 37.235.49.xxx:143 -> 92.224.190.xxx:47458 [AP]
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STA=
RTTLS LOGINDISABLED] Dovecot ready... =
=20
##
T 92.224.190.xxx:47458 -> 37.235.49.xxx:143 [AP]
A11 LOGOUT..=20
Solution:
Users should update to the latest available patch releases 7.2.2-rev9, 7.2.=
1-rev10, 7.2.0-rev11, 7.0.2-rev14.