CVE-2018-5559 my first CVE

TLDR

CVE-2018-5559 is a information disclosure security vulnerability in Komand Security Orchestrator (v0.40.2) that has been disclosed responsibly to Rapid 7 and has been mitigated and patched within days (version >0.42.0). The vulnerability itself is not worth to have a logo.

Introduction

Being a security professional I happen to hear a lot of people complaining about companies handling responsible disclosure in a way that is not appreciated by customers (by sitting on patches to long) or by the disclosure (by not reacting etc). The following blog post is report about a very positive case that I happen to have by disclosing my very first security vulnerability. I really hope this one is being shared and that companies adopt some of the positive aspects. At the very end of the post I will also try to lead to further points where either researchers or companies can read further about the topic.

The stage

Being interested in various APIs that are interesting to security people (eventually turning into dedicated list of APIs on Github) I stumbled across Komand Security Orchestrator. As there was no documentation available (heads up Rapid 7, that fact needs some love!) I spent some time to reverse engineer and discover APIs with Google Chrome developer tools and Python and actively sharing my results on github.

One of the API endpoints was /connections:

https://komandurl/v2/connections 

Connections

Komand Security Orchestrator is made to interact with various (security related) tools to interact and create so called workflows. To achieve that goal, Komand needs credentials to those tools. Every set of credentials is stored in a central keychain that is accessible for workflows. Most connections store some kind of URL, Username and password.

Given this nature, credentials stored in this keychain have either higher Privileges to accomplish tasks or are able to see more than the regular user.

Every Plugin can have it’s own set of credentials, so let’s say you have the LDAP plugin to connect to Active directory, there could be a dedicated set of credentials for prod and qual active directory.

Surprise

After my first GET request to the connection API endpoint something got my attention. While most of the connections have the password field *****ed out, some did not – WTH?
Most look like the following:

"name":"VT Private API","type":"plugin","parameters":{"api_key":"********","url":"https://www.virustotal.com/vtapi/v2/"} 

But OTRS looks like the following:

{"connection_id":36,"plugin_id":75,"name":"OTRS Dev User:komand_test","type":"plugin","parameters":{"server":"https://`EDUCTED","credentials":{"password":"REDUCTED","username":"komand_test"}},"created_at":"2018-08-08T10:56:54Z","updated_at":"2018-08-08T10:56:54Z","deleted_at":null,"deleted_by_id":null} 

And LDAP:

{"connection_id":39,"plugin_id":72,"name":"ÀD","type":"plugin","parameters":{"host":"ldaps://LDAPURL","port":636,"use_ssl":true,"username_password":{"password":"CLEARTEXTPASSWORD","username":"AD\\USER"}},"created_at":"2018-10-05T11:53:47Z","updated_at":"2018-10-05T11:53:47Z","deleted_at":null,"deleted_by_id":null} 

Scope – pre-requisite

To get the above mentioned list of connections you need to have a to be an authenticated admin, so it is not open to everyone.

Scope – affected plugins

As not every password was visible, several plugins have been tested (not every plugin!) and thus two Plugins seem to be affected:

LDAP plugin and OTRS plugin

Impact

To score the vulnerability, the best way to go for is leverage CVSS, and the rating for this vulnerability is a CVSS Score:3.1

CVSS Base Score:3.4
Impact Subscore:1.4
Exploitability Subscore:1.7
CVSS Temporal Score:3.1
CVSS Environmental Score:3.1
Modified Impact Subscore:1.4
Overall CVSS Score:3.1

Responsible disclosure process

October 25, 2018 14:42 created issue with Rapid 7 online portal / Mail to Circl.lu

So I found the issue and wanted to get it fixed as soon as possible and have a CVE assigned, my first reaction was to reach out to my friends from CIRCL.lu to assist and assign a CVE, so I sent them a pgp encrypted mail to info@circl.lu.

Side-note: By accident I had a local mail rule, filtering out all mails from info@circl.lu to a sub folder and marked them as read, that is a stupid thing to do if you expect an answer from them and caused some confusion afterwards, so for clarification, they were very responsive and their reaction time is in hours, so if you do not know who to disclosure with a 3rd party, CIRCL is a great way to get it started and they have a profound network of contact points.

Then I looked on rapid 7 webpage and found that they have a responsible disclosure statement and procedure in place as well so I gave it a shot with opening an issue there.

The portal is very well done and requesting information that are good for engineers to assess the impact as fast as possible, it is even possible to propose a CVSS rating (more to that later)

October 26, 2018 First reaction of Rapid7

Rapid7 gave a SYN / ACK to have received the issue and that Engineering and Support is working on scoping and verifying the issue.

October 26, 2018 Rapid7 verifies it is an issue

On the same day the designated person made a note in the online portal to verify it is an issue and that they are working on fixing it.

October 30,2018 Rapid7 case update

Note on the online portal, Rapid 7 team is working on a fix and providing a rough timeline that a patch should be available the same week and that assigning an CVE is in progress as well.

November 1,2018 Rapid 7 case update

Another note that fix is on the horizon

November 1,2018 Komand Release Notes

On that day a Mail was sent out announcing a new version „Komand Release Notes“. In the Bug fixes area this was mentioned:

v0.42.0: Certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response. We fixed this issue, and all configurations of connection data are now correctly obscured.

November 1,2018 Komand slack

Via Slack, Komand engineers are asking for my feedback if the patch is indeed fixing the issue I reported, after updating I was able to confirm that.

November 2,2018 pro assigned CVE

Rapid7 reached out to me and CIRCL (who seems to have reported the issue in parallel but I had no SYN ACK from them but told them that they did not need to further disclose as soon as I discovered the Rapid 7 portal.
In this mail I was told the pre assigned CVE for the issue and the CVSS rating their engineering team came up with. They also asked if I plan to write a blog post or other coverage (which you can read at the moment).

Affected?

All versions below 0.42.0 is affected. Afaik it is only the OTRS and the LDAP plugin.

Mitigation

Patch to Komand version 0.42.0 or later. I would recommend to reset the password to all accounts stored for LDAP and OTRS plugins.

Exploited?

Most people might ask – alright, so how can i find out if someone with bad intention has used this vulnerability. The only way to tell is to check the web logs of Komand and look for GET requests to /v2/connections from unusual source IPs.

Feedback

The way this issue was handled was straight forward, at any point I had the impression that my issue was treated on the right level, no over hyping and no „we don’t care“ just the right balance.
It is notably that the online form used by Rapid7 is supporting this process a lot, I assume it makes it easy to scope issues on engineering site as well as easy for the researcher who wants to know what the current status of the reported issue is.

It is also good to see that the work from the FIRST CVSS sig is adding value in such issues as it helps both sides to rate the vulnerability.

Links

https://nvd.nist.gov/vuln/detail/CVE-2018-5559

https://github.com/CVEProject/cvelist/pull/1303

Further reading

To lean more about best practices in responsible disclosure I would recommend:

https://titanous.com/posts/security-disclosure-policy-best-practices

 

Security API collection

While working on different stuff I was searching for a collection of APIs that are related of useful for security researchers, incident response people or threat intel.

Unable to find a good list of REST APIs decided to start it. The collection is hosted on a Security API list, and pull requests or issues mentioning missing APIs are highly welcome.

Why did I produce such a list? More and more people want to automate their workflows, Security Orchestration is the new Buzzword after last years Threat Intelligence, but basically containing the same, they both have in common to facilitate already available data, with Orchestration not storing that much data but enriching dots collected.

However the challenge is, what to integrate, everyone has their „go to“ tools they use on a daily base risking to miss some golden nuggets that are handy.

The list is divided (at the moment) in tools that are mostly on prem., online tools, SIEMs and various. With an increasing number of APIs that ordering might change of course.

So I really hope the list is useful and people can use it and that it can grow.

9Tageticket again a success

One day to go till the Backfischfest in Worms is starting and we can say, the 9TageTicket this year is again a big success. With more then 650 tickets pre ordered, we are on almost the same level as last year, showing that there is a constant interest in the free tickets that show other visitors the commitment to the Backfischfest.

For the first time we will have flyer for the showman explaining the idea behind 9TageTicket.

Ahoi

Django 403 CSRF forbidden

The following error message:

Forbidden (403)
CSRF verification failed. Request aborted
More information is available with DEBUG=True

Might occur if you are using an apache / nginx running behind another Apache as a proxy.
To read more about CSRF go to wikipedia. It is basically an interception of a session exploiting the trust a browser has to a site.

So it is an security feature, that is interfered by the proxy.
You have most likely something like:

ProxyPass / https://$yourhost/
ProxyPassReverse / https://$yourhost/

In your apache config. That needs to be extended to:

ProxyPass / https://$yourhost/
ProxyPassReverse / https://$yourhost/
ProxyPreserveHost On

Quote from apache doc:

When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line.

This option should normally be turned Off. It is mostly useful in special configurations like proxied mass name-based virtual hosting, where the original Host header needs to be evaluated by the backend server.

Amazon Fire TV nun in Deutschland

Da öffnet man Amazon ohne böse Vorahnung und bekommt einen Hinweis:

Liebe Kunden,

wir freuen uns, Ihnen heute das Amazon Fire TV vorzustellen.

Endlich.

Und noch schöner, bis Montag gibt es das Amazon Fire TV für Amazon Prime Kunden zum Vorzugspreis von 50 Euro statt 99 Euro.

PS: Das Fire TV bietet neuen und existierenden Prime-Mitgliedern noch mehr. Sie können Tausende beliebte Filme und Serienepisoden mit Prime Instant Video sofort unbegrenzt streamen und erhalten in den nächsten fünf Tagen das Fire TV für nur 49 EUR statt regulär 99 EUR.

Zuschlagen lohnt sich also.

Edit: Golem schreibt nun auch darüber

Simsme a secure messenger

(c) Deutsche Post AG

(c) Deutsche Post AG

There have been some ongoing discussions about Facebook Messanger / Whattsapp – security, encryption, privacy etc.
Just a few days ago Facebook made a big move pushing more users to the Facebook Messenger.
And now a new big player enters the field of messengers: Deutsche Post.

They announced a product called „Sims Me“ being a „free and secure messenger on iOS and Android“.

Of course Deutsche Post has some expirience with delivering messages for hundrets of years. But this is not the first App Deutsche Post is providing, officially the apps are developed by „DP IT Brief GmbH“.

Key Features of SimsMe

– End to end encryption
– everything stored on servers
– self destructive messages *
– Ability to connect to your existing contacts (but only by granting SimsMe access to your contacts)
– Confirm users by QR code (same like Threema)
– App is password protects -> if your possword got lost, your app data is gone, you have to reinstall it.

* only for th first million users for free

There is a good FAQ on the page.

Conclusion

The starting phase was a bit to much for Deutsche Post as to much users tried the service, but for now it is okay, some bugs have to been fixed, there is some space for improvement regarding UI, but overall a nice product.

Of course stating „it is end-to-end encrypted“ does not mean anything. I haven’t seen a Audit of the App, even if it would be open source, there is no evidence that the open source code is the code DP IT Brief GmbH is sending to Apple / Google. And there is no way to check wether the app uploaded from DP IT Brief GmbH to Apple / Google is the App that you are downloading to your device (they are in a position to madify apps). That said, having a big company providing an app with end to end encryption is better than using a plain-text or not properly encrypted app. But still, if you want to exchange sensitive stuff, face to face is the way to go.

Download

iOS Itunes download
Andoid Google Playstore

Banana Pi a better raspberry pi

Since serveral month, many Pis are in use within my network. I am using them for XBMC Raspberry, Syslog Raspberry, Kippo Raspberry Pi, surveillence pi, Nagios Raspberry Pi, Backup Pi a TOR Raspberry pi and of course they are using UPS for power supply.

But since some of the use cases are not that trivial, the tech specs of the raspberry are not high enough. But now a new pi is on the road: Banana Pi.

Specs of the Banana Pi (bold most important ones):
SoC: Allwinner A20*
(ARM Cortex-A7 dual-core, 1GHz, Mali400MP2 GPU)
System Memory 1GB DDR3 DRAM
Storage: SD card slot, Extensible with SATA connection
Video output: HDMI, Composite, Extensible with on-board LVDS connector
Audio I/O: HDMI,3.5mm stereo jack output,On-board microphone input
Connectivity: Gigabit Ethernet
USB: 2* USB 2.0 ports, 1* OTG micro USB port,1* micro USB for power supply**
Expansion: Extensible 26-pin headers, Camera connector, Display connector for LVDS and touch screen
Misc: 3* on-board buttons, (Power, Reset, Uboot key), IR receiver
Dimensions: 92mm X 60 mm
Weight: 48 g

Wow! It has gigabit onboard, an faster CPU (with integrated GPU!) , double Sytem memory, is compatible to extension modules of the original Raspberry Pi.

Especially for multimedia use cases, like HD (1080p and even higher) streaming the Banana Pi looks quite nice. At the moment, XBMC is not fully compatible to the banana pi, but the bigger the fan group the faster XBMC will work on supporting the new toy.

I will try to get one of the boards to get a first impression and will write about it in the future.

A good review of Banana pi is available at: http://raspi.tv/2014/banana-pi-review-first-impressions. The author is describing some problems while installation, but I think that is a common problem for new products. One particular complaint is very interesting, he mentioned that the linux SD card image is bigger then needed, because they included free space to the image – what a pitty.