Security
Headlines
HeadlinesLatestCVEs

Headline

Anveo Mobile User Enumeration / Missing Certificate Validation

Anveo Mobile application version 10.0.0.359 and server version 11.0.0.5 suffer from missing certificate validation and user enumeration vulnerabilities.

Packet Storm
#vulnerability#web#windows#auth#ssl

SEC Consult Vulnerability Lab Security Advisory < 20231128-0 >

           title: Missing Certificate Validation & User Enumeration  
         product: Anveo Mobile App and Server  

vulnerable version: Mobile App: 10.0.0.359 / 2016-07-13; Server: 11.0.0.5
fixed version: -
CVE number: -
impact: Medium
homepage: https://www.anveogroup.com/en/mobile-apps-for-dynamics/
found: 2023-05-28
by: Daniel Hirschberger (Office Bochum)
SEC Consult Vulnerability Lab

                  An integrated part of SEC Consult, an Eviden business  
                  Europe | Asia

                  https://www.sec-consult.com

=======================================================================

Vendor description:

“Create your own individual Mobile App with Anveo. Our base, out of the box
solutions offer many useful functions, and can be flexibly adapted to your
requirements: the Anveo Service App, Anveo Sales App, and Anveo Delivery App.
You are looking for a mobile App for a different scenario? Not a problem with
the Anveo Mobile App Builder! Thanks to the toolkit character of the solution,
configuration of a completely new, custom App is simple.”

Source: https://www.anveogroup.com/en/mobile-apps-for-dynamics/

Business recommendation:

The vendor was unresponsive and did not reply to our communication attempts and even
deleted our comment to request a contact on LinkedIn, see the timeline section further
below.

There is no solution known to us for this security issue. In case you are a customer
of Anveo, request an update from them about the issue.

Furthermore, an in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:

  1. Missing Certificate Validation
    The Windows application was tested which does not perform certificate validation
    and is therefore vulnerable to man-in-the-middle attacks which might allow an
    attacker to gain access to sensitive data.

  2. User Enumeration
    The login is vulnerable to user enumeration because the error message for a
    non-existent user differs from the error message when a user exists. This allows
    an attacker to perform targeted brute-force attacks and potentially take over
    other user accounts.

Proof of concept:

  1. Missing Certificate Validation
    The application does not validate the server certificate. To verify this,
    a new self-signed certificate was created with the openssl commandline tool.

Afterwards, an openssl server was spawned with netcat:

[ POC removed]

When adding a new account in the application with the IP and port of this server,
a connection is attempted. Now a special string has to be sent from the netcat
listener to the client.

As a response, the client tries to authenticate against the server with the
username and password:

<img certificate_validation.png>

The part between <EOS> and <EOSC> can be base64-decoded and decompressed with
zlib which yields the following output:

[ POC removed ]

The “PW” Parameter contains the base64-encoded password, in this case "unknown".

  1. User Enumeration
    When a non-existent user tries to login, the error message shows "Cannot find
    user":

<img user_nonexistent.png>

When a valid username but a wrong password is submitted, the server responds
with "Username or password is not correct":

<img user_exists.png>

Vulnerable / tested versions:

The following version has been tested:

  • Application version 10.0.0.359 / 2016-07-13 (the Windows version was tested)

The vendor did not respond to our communication attempts, hence it is unknown whether
further versions are affected as well.

Vendor contact timeline:

2023-06-12: Contacting vendor through email [email protected]
Asking for security contact, no response
2023-06-26: Contacting vendor through same email again, no response.
2023-07-24: Contacting vendor through technical support email [email protected]
Asking for security contact again, no response.
2023-09-15: Contacting vendor again through [email protected], [email protected]
and [email protected]. Ticket got automatically created, but no
response.
2023-09-19: Posted a message/comment on LinkedIn at Anveo Group to contact us. Besides a
few profile views from employees (Team Lead Anveo Mobile App, Social Media
Marketing, CEO) no response.
Our comment then got deleted by Anveo Group.
Comment:
“Hi Anveo Group, we have been trying to reach your company since June through
our responsible disclosure process as we have identified some security
issues in your products. We never received any response via multiple email
addresses (found on your website). Could you please get in touch with us and
provide us with a person responsible for security? Thank you!”
2023-09-20: Contacting third party whether they received a patch; no response.
2023-10-09: Contacting again; no response.
2023-10-23: Contacting again; no response.
2023-11-17: Final attempt, asked third party for info again, tried to contact
[email protected]” through ticket again. No response from vendor, but
third party replied, that they also did not receive any response from Anveo.
2023-11-28: Public release of security advisory.

Solution:

The vendor was unresponsive and did not reply to our communication attempts and even
deleted our comment to request a contact on LinkedIn, see the timeline section.

There is no solution known to us for this security issue. In case you are a customer
of Anveo, request an update from them about the issue.

Furthermore, an in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from other security issues.

Workaround:

None

Advisory URL:

https://sec-consult.com/vulnerability-lab/


SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/


Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2023

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution