Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-13081

CLONE - [Security] Alfresco enables port scanning of internal networks

    Details

      Description

      It is possible using a simple URL to explore and portscan the internal network of any organisation with an Internet facing Alfresco instance. This was reported in Community 4.2.f by a third party penetration testing company. They intend to go public with this information as part of their
      responsible disclosure scheme 50 days after June 24th. Their original report follows:

      SEC Consult Vulnerability Lab Security Advisory < YYYYMMDD-0 >
      =======================================================================
      title: Multiple SSRF vulnerabilities
      product: Alfresco Community Edition
      vulnerable version: <=4.2.f
      fixed version: N/A
      impact: High
      homepage: http://www.alfresco.com
      found: 2014-05-15
      by: V. Paulikas
      SEC Consult Vulnerability Lab
      =======================================================================

      Vendor description:
      -------------------
      "Alfresco Community Edition allows organizations to manage any type of content
      from simple office documents to scanned images, photographs, engineering drawings
      and large video files. It is commonly used as a document management system,
      content platform, CMIS-compliant repository."

      http://www.alfresco.com/products/community

      Business recommendation:
      ------------------------
      Multiple SSRF vulnerabilities were identified within the affected Alfresco product.

      By exploiting these vulnerabilities an unauthenticated attacker is able to
      scan available ports on internal systems and access internal web applications
      which should not be accessible from the Internet.

      It is recommended to restrict the access to the affected servlets
      until an official patch is released by the vendor.

      Vulnerability overview/description:
      ---------------------------------------------
      1) Server Side Request Forgery (SSRF)

      A Server Side Request Forgery vulnerability allows to issue remote connections
      on behalf of the affected server. This can be exploited in order to reach
      internal systems, which are not reachable from the Internet, or to bypass
      access restrictions.

      Proof of concept:
      -----------------
      SSRF PoC 1)
      An unauthenticated user can access the proxy servlet and perform internal
      system port scanning by accessing the URL provided below:

      http://host/alfresco/proxy?endpoint=http://internal_system:port

      The server responds with an error message "Connection refused" when the port
      is not accessible (firewalled or not available). Other error messages indicate
      a service running on the port which is being probed.

      The proxy servlet implementation in older versions of the Alfresco Community Edition
      support the file:// URI, allowing the attacker to disclose the contents of the files
      on the affected server.

      SSRF PoC 2)
      The Content Management Interoperability Service (CMIS) can also be exploited
      by an unauthenticated attacker in order to issue internal connections. The
      following URL can be used in order to exploit the vulnerability:

      http://host/alfresco/cmisbrowser?url=http://internal_system:port

      The server responds with similar error messages when the port is open or closed.

      If the victim is tricked to access a resource, protected with Basic authentication,
      on the affected host via the cmisbrowser servlet, further requests include the submitted
      credentials and can be intercepted by an attacker. An example of such a scenarion:

      Vulnerable / tested versions:
      -----------------------------
      The vulnerabilities have been verified to exist in the Alfresco Community
      Edition version 4.2.f, which was the most recent version at the time of
      discovery.
      The version 2.9.0B was verified to support the file:// URI scheme,
      allowing the attackers to disclose contents of the local files on the affected
      server.

      Vendor contact log:
      ------------------------
      2014-05-26: Contacting vendor through
      2014-0x-xx:
      2014-0x-xx:
      2014-0x-xx:
      2014-0x-xx:

      Solution:
      ---------

      Advisory URL:
      -------------
      https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      SEC Consult Vulnerability Lab

      SEC Consult
      Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

      Headquarter:
      Mooslackengasse 17, 1190 Vienna, Austria
      Phone: +43 1 8903043 0
      Fax: +43 1 8903043 15

      Mail: research at sec-consult dot com
      Web: https://www.sec-consult.com
      Blog: http://blog.sec-consult.com
      Twitter: https://twitter.com/sec_consult

      Interested in working with the experts of SEC Consult?
      Write to career@sec-consult.com

      EOF V. Paulikas / @2014

        Attachments

          Structure

            Activity

              People

              • Assignee:
                closedbugs Closed Bugs
                Reporter:
                plungu Pavel Lungu (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h

                    Structure Helper Panel