SOTTO ATTACCO?
POSSIAMO AIUTARTI

Security Advisory: Alt-n Security Gateway (CVE-2022-25356)

Tinexta Cyber Offensive Security Team has identified 1 vulnerability on Alt-n Security Gateway product, the vulnerability was found during a Penetration Test.

Product description

Alt-n develops and manufactures products and solutions for companies to help them be more safe against phishing attacks, malwares and much more, Security Gateway accomplishes that goal giving protection from external/internal email threats.

Swascan worked together with Alt-n in order to fix this vulnerability.

Technical summary

Swascan’s Cyber Security Team found an important vulnerability on: Security Gateway

VulnerabilityCVSSv3.1Severity
Unauthenticated registration key disclosure through XML Injection7.5 HighAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

In the following section the technical details about this vulnerability, including evidence and a proof-of-concept.

Vulnerability details

Unauthenticated registration key disclosure through XML Injection

Description

In Alt-n Security Gateway product, a malicious actor could inject an arbitrary XML argument by adding a new parameter in the HTTP request URL. In this way the XML parser fails the validation process disclosing information such as kind of protection used (2FA), admin email and product registration keys.

Proof of Concept

The following POC will inject an arbitrary XML argument in the processed XML retrieving the SecurityGateway configuration through the error message:

# curl -kis “http://<target>/SecurityGateway.dll?view=login&redirect=true&9OW4L7RSDY=1”

The result of the previous curl is the following:

Figure 1  Security settings, admin information and product registration key disclosed

Figure 2  Working registration key for product update

Impact

An attacker can use the information retrieved to try to authenticate as admin user through brute force attacks, password guessing or using compromised credentials, (since the admin email address used is known).  The product registration keys can be compromised as well.

Remediation

The application should not trust user input and avoid incorporating inside the XML arbitrary URL parameters and/or sanitize the input by encoding the characters “<>” with the corresponding entities “&lt; and &gt”.

Alt-n released a patch for the MDaemon software, reported in the references below.

Disclosure Timeline

  • 17 February 2022: Vulnerabilities discovered
  • 17 February 2022: CVE-ID requested at MITRE
  • 17-February-2022: Vendor contacted by email (1st time, no response)
  • 18-February-2022: CVE-ID assigned
  • 25-February-2022: Vendor contacted by email (2nd time, no response)
  • 25-February-2022: Vendor contacted by email (3rd time, vendor responded)
  • 08-March-2022: Vendor responded and released an update
  • 04-April-2022: Vulnerability disclosed
  • 05-April-2022: Issued CVE-ID CVE-2022-25356

Sources and references

Articoli correlati

Cyber Incident Emergency Contact

Contact us for immediate support

Abilita JavaScript nel browser per completare questo modulo.
Accettazione GDPR