CVE

Vaultize

Publication date: April 25, 2018

Product: "Vaultize provides a comprehensive enterprise file security platform that enables continuous data protection, digital rights management, secure file sharing and unprecedented access control for zero data loss."

Product homepage: http://www.vaultize.com

Context: The vulnerabilities have been found during a vulnerability assessment, please note that only the web application has been tested, not the entire solution.

Authors:

• Julien Ehrhart from Excellium-Services company | https://twitter.com/julienehrhart
• Anthony Maia from Excellium-Services company | https://twitter.com/piosky1

Tested on:

• Vaultize 17.05.31

8 vulnerabilities discovered:

CVE-2018-10206

Stored XSS via the optional message field of a file request

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is a stored XSS via the optional message field of a file request.

CVSSv3: 5.4 (/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10206

CVE-2018-10207 (Critical)

Missing Authorization on the FlexPaperViewer SWF reader

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. An unauthenticated attacker can export viewable files (PDF, xls, doc, png, jpeg…) of all users.

CVSSv3: 9.1 (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:U/RC:C/CR:H/MC:H)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10207

CVE-2018-10208

Anonymous reflected XSS on the error page

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is a reflected XSS on the error page via the "/share/error?message=" URI which is accessible without authentication.

CVSSv3: 6.1 (/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10208

CVE-2018-10209

Stored XSS on the file or folder download pop-up

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is a stored XSS on the file or folder download pop-up via a crafted file or folder name.

CVSSv3: 5.4 (/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10209

CVE-2018-10210

User enumeration

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. A user enumeration is possible through the password-reset feature.

CVSSv3: 5.3 (/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10210

CVE-2018-10211

Missing authorization in the history of users

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is an improper authorization when listing the history of another user.

CVSSv3: 4.3 (/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10211

CVE-2018-10212

Missing authorization leading to modification of another user’s page

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is an improper authorization leading to creation of folders within another account.

CVSSv3: 4.3 (/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10212

CVE-2018-10213

XSS in invitation email

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is a XSS in invitation email received by a different user.

CVSSv3: 4.1 (/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10213

Fixes: The vulnerabilities are not fixed after more than 6 months (19/05/2018). Workarounds exist (disabling features), but no official fix has been pushed by Vaultize.

Recommendations: Disable the FlexPaperView feature and put a WAF with custom rules.

Timeline:

• 24/10/17 Vaultize notification of issues
• 27/10/17 Notification of Vaultize, issues acknowledgment
• 09/11/17 Received workarounds for: CVE-2018-10206 / CVE-2018-10208 / CVE-2018-10209 / CVE-2018-10212
• 23/11/17 Received workaround for: CVE-2018-10212
• 07/12/17 Request for remaining fixes, no answer to CERT-XLM
• 02/01/18 Vulnerable Clients & CSIRT notification
• 18/04/18 Mitre notification
• 25/04/18 Public disclosure

Legal notices: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this advisory.

---

RedHat (WildFly)

Publication date: May 3rd, 2018

Authors:

• Jean-marie Bourbon (kmkz) from Excellium-Services company | https://twitter.com/kmkz_security
• Anthony Maia (Piosky) from Excellium-Services company | https://twitter.com/Piosky1

Product homepage: http://wildfly.org/

Source code download: https://github.com/wildfly/wildfly/tree/10.x

Tested on:

• Name : WildFly Full
• Product version: 10.1.2.Final
• Profile : COMMUNITY
• HAL version : 2.8.27.Final
• Core version : 2.8.27.Final

2 vulnerbailities discovered:

CVE-2018-10682

WildFly10 Manager Application Deployer Code Execution

An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication using "anonymous" access that is automatically created. Once logged in, a misconfiguration present by default (auto-deployment) permits an anonymous user to deploy a malicious .war file, leading to remote code execution. Notice that anonymous access is not available in the default installation; however, it remains optional because there are several use cases for it, including development environments and network architectures that have a proxy server for access control to the WildFly server.

CVSSv3: 10 (/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10682

CVE-2018-10683

Server Allows Privileged Anonymous Authentication

An issue was discovered in WildFly 10.1.2.Final. In the case of a default installation without a security realm reference, an attacker can successfully access the server without authentication. Notice that Security Realms documentation in the product's Admin Guide indicates that "without a security realm reference" implies "effectively unsecured." The vendor explicitly supports these unsecured configurations because they have valid use cases during development.

CVSSv3: 7.2 (/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10683

Fixes: No known fix yet. Red Hat security does not consider it as security issues.

Recommendations: Add an authentication mechanism on each administration interface by default and restrict permissions for anonymous user. Only an admin user should be able to deploy .war file, disable auto-deployment by default.

Timeline: January 9th, 2018: Vulnerability identification January 12th, 2018: First contact with the editor (RedHat Security Team) May 2nd, 2018: Reply with updated advisory May 2nd, 2018: CVE request / CVE assigned May 3rd, 2018: Writeup's publication May 8th, 2018: Public disclosure

Legal notices: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this advisory.