SSD Advisory – Skype For Business XSS

Vulnerability Summary
The following advisory describes an XSS vulnerability found in Skype for Business.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
The vendor has released patches to address this vulnerability and has only provided these details in response to our query on the status: “implemented some changes in the latest version to sanitize HTML input”
(more…)

SSD Advisory – KEMP LoadMaster from XSS Pre Authentication to RCE

Vulnerability Summary
KEMP’s main product, the LoadMaster, is a load balancer built on its own proprietary software platform called LMOS, that enables it to run on almost any platform: As a KEMP LoadMaster appliance, a Virtual LoadMaster (VLM) deployed on Hyper-V, VMWare, on bare metal or in the public cloud. KEMP is available in Azure, where it is in the top 15 deployed applications as well as in AWS and VMWare vCloud Air.
A cross site scripting web vulnerability has been discovered in KEMP LoadMaster v7.135.0.13245 (latest). A non authenticated user is able to inject his own malicious Javascript code into the system and use it to create a new web administrator user.
Vendor response
We were unable to get an update beyond this statement from the vendor:
Expect a fix in our new version available Jan 2017.
(more…)

SSD Advisory – Synology DiskStation Manager Multiple Stored Cross-Site Scripting

Vulnerabilities Summary
The following advisory describe two (2) stored Cross-Site Scripting (XSS) found in Synology DiskStation Manager (DSM).

  1. Cross-site scripting stored in SWF file
  2. Cross-site scripting stored in Video Station application

Synology DiskStation Manager (DSM), a Linux based software package that is the operating system for the DiskStation and RackStation products. The Synology DSM is the foundation of the DiskStation, which integrates the basic functions of file sharing, centralized backup, RAID storage, multimedia streaming, virtual storage, and using the DiskStation as a network video recorder.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
Repeated emails (support@cynology.com) sent to the vendor, since March, were answered with unclear answers:
“Sorry for the misunderstanding. You reported it to us and what I meant was that our developers have verified your report and it’s been logged as a known issue now.
So, your report to us is highly appreciated and we thank you very much for your help!”
On August 11, 2017 we received an email from Synology with a link to the patch they released.
For more information: https://www.synology.com/en-global/support/security/Synology_SA_17_39_Video_Station
(more…)

SSD Advisory – Serviio Media Server Multiple Vulnerabilities

Vulnerabilities Summary
The following advisory describes a five (5) vulnerabilities found in Serviio Media Server. Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1.
Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.
Serviio works with many devices from your connected home (TV, Playstation 3, XBox 360, smart phones, tablets, etc.). It supports profiles for particular devices so that it can be tuned to maximise the device’s potential and/or minimize lack of media format playback support (via transcoding).
Serviio is based on Java technology and therefore runs on most platforms, including Windows, Mac and Linux (incl. embedded systems, e.g. NAS).
The vulnerabilities found in Serviio Media Server are:

  • Remote Code Execution
  • Local Privilege Escalation
  • Unauthenticated Password Modification
  • Information Disclosure
  • DOM-Based Cross-Site Scripting (XSS)

Credit
An independent security researcher Gjoko Krstic from Zero Science Lab has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Response
We have tried on numerous occasions over the past two months to contact the vendor, all emails sent to them went unanswered.
(more…)

SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities

Vulnerabilities Summary
The following advisory describes Reflected Cross-Site Scripting (XSS) vulnerabilities and a Remote File Inclusion vulnerability that when combined can lead to arbitrary Javascript code execution, were found in HP OpenCall Media Platform (OCMP), version 4.3.2.
HPE OpenCall Media Platform (OCMP) is a suite of software and hardware applications which allow implementation of common telecom operator services such as voicemail, sms (short message service), prepaid, billing, hlr, etc. It implements industry standard telecom protocols and standards such as SS7, ISUP, TCAP, SIP, MRCP, RTSP, and VoiceXML.
u
HPE OpenCall Media Platform offers a highly scalable, easy-to-manage, carrier-grade media platform that adapts to future networks and applications. Through its strong support of open standards and protocols, new applications can be rapidly developed and deployed in a way that preserves investments and reduces capital expenditures (CAPEX) and operational expenditure (OPEX).
There are 3 different components that are vulnerable in HPE OpenCall Media Platform (OCMP), and for each component has the following vulnerabilities:

  • Application Content Manager
  1. Reflected Cross-Site Scripting (XSS) – /mcm/resources/


  • Platform Administration Tool
  1. Reflected Cross-Site Scripting (XSS) that leads to arbitrary Javascript code execution
  2. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE0 parameter
  3. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE1 parameter
  4. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE2 parameter
  5. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE3 parameter
  6. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME0 parameter
  7. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME1 parameter
  8. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME2 parameter
  9. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME3 parameter
  10. Reflected Cross-Site Scripting (XSS) – GetMapAction function
  11. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NUM parameter
  12. Reflected Cross-Site Scripting (XSS) – GetMapAction function, NAME parameter
  13. Reflected Cross-Site Scripting (XSS) – cdrdispatch function, next parameter
  14. Reflected Cross-Site Scripting (XSS) – cdrdispatch function, sessionType parameter


  • VoiceXML Administration Tool
  1. Reflected Cross-Site Scripting (XSS) – event.do function
  2. Reflected Cross-Site Scripting (XSS) – call.do function
  3. Remote File Inclusion – proxylink.do function



Credit
An independent security researcher Paolo Stagno from VoidSec has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Responses
HPE has released patches to address this vulnerability, for more details see:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03686en_us
(more…)

SSD Advisory – SolarWinds Multiple Vulnerabilities

Vulnerabilities Summary
SolarWinds Server and Application Monitor version 6.1.1 has been found to contain multiple vulnerabilities:

  1. Node Custom Properties Persistent XSS
  2. Audit Events Module Persistent XSS
  3. Custom “Data Source” and ‘Where Clause’ Persistent XSS
  4. “Build Dynamic Query Name” Persistent XSS
  5. Multiple Persistent XSS Vulnerabilities Via ‘Title’ field
  6. Application Monitor Template Persistent XSS
  7. NOC View Name Persistent XSS

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
We notified SolarWinds about the vulnerabilities back in August 2015, repeated attempts to re-establish contact and get some answers on the status of the patches for these vulnerabilities went unanswered. We have also contacted CERT in August 2015, but they were unable to get them to addresses these issues. At this time there is no solution or workaround for these vulnerabilities.
(more…)

Know your community – Steven Seeley

You all know him from Twitter as “mr_me” (@steventseeley) we are proud to interview Steven Seeley! Vulnerability researcher, Ruxcon and HITB speaker, founder of Source Incite and a long time Wing Chun student!!

(more…)

SSD Advisory – IBM WebSphere Portal Cross-Site Scripting (XSS)

Vulnerabilities Summary
The following advisory describes a Cross-Site Scripting (XSS) vulnerability found in WebSphere Portal version 8.0.0.1.
IBM WebSphere Portal products provide enterprise web portals that help companies deliver a highly-personalized, social experience for their customers. WebSphere Portal products give users a single point of access to the applications, services, information and social connections they need. These products help increase visitor response and reduce web operations cost while offering a range of capabilities to meet your business needs.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
We notified IBM of the vulnerability back in September 2016, repeated attempts to re-establish contact and get some answer on the status of the patches for this vulnerability went unanswered. At this time there is no solution or workaround for this vulnerability.
(more…)

SSD Advisory – Icewarp, AfterLogic and MailEnable Code Injection

Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities in Icewarp, AfterLogic and MailEnable Webmails.
The three vulnerabilities found are:

  1. Afterlogic Webmail code injection
  2. Icewarp Webmail code injection
  3. MailEnable Webmail code injection

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Responses
AfterLogic
AfterLogic has released patch to address the vulnerability – we have no information on which version addresses this, we believe the latest version of AfterLogic includes patches for the vulnerability.
IceWarp
IceWarp has released patch to address the vulnerability – version 11.4.0.
MailEnable
We notified MailEnable of the vulnerabilities back in November 2015, repeated attempts to re-establish contact and get some answer on the status of the patches for these vulnerabilities went unanswered. At this time there is no solution or workaround for these vulnerabilities.
(more…)

SSD Advisory – Polycom Video Conference Persistent and Unauthenticated XSS

Vulnerability Description
A persistent, pre-authenticated, cross site scripting vulnerability in Polycom HDX Web interface allows remote attackers to take over the camera and control it.
(more…)