Security Advisory: Alt-n Security Gateway (CVE-2022-25356)

Swascan Offensive Security Team has identified 1 vulnerability on Alt-n Security Gateway product, the vulnerability was found during a Penetration Test.

Product description

Alt-n develops and manufactures products and solutions for companies to help them be more safe against phishing attacks, malwares and much more, Security Gateway accomplishes that goal giving protection from external/internal email threats.

Swascan worked together with Alt-n in order to fix this vulnerability.

Technical summary

Swascan’s Cyber Security Team found an important vulnerability on: Security Gateway

VulnerabilityCVSSv3.1Severity
Unauthenticated registration key disclosure through XML Injection7.5 HighAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

In the following section the technical details about this vulnerability, including evidence and a proof-of-concept.

Vulnerability details

Unauthenticated registration key disclosure through XML Injection

Description

In Alt-n Security Gateway product, a malicious actor could inject an arbitrary XML argument by adding a new parameter in the HTTP request URL. In this way the XML parser fails the validation process disclosing information such as kind of protection used (2FA), admin email and product registration keys.

Proof of Concept

The following POC will inject an arbitrary XML argument in the processed XML retrieving the SecurityGateway configuration through the error message:

# curl -kis “http://<target>/SecurityGateway.dll?view=login&redirect=true&9OW4L7RSDY=1”

The result of the previous curl is the following:

Figure 1  Security settings, admin information and product registration key disclosed
Figure 2  Working registration key for product update

Impact

An attacker can use the information retrieved to try to authenticate as admin user through brute force attacks, password guessing or using compromised credentials, (since the admin email address used is known).  The product registration keys can be compromised as well.

Remediation

The application should not trust user input and avoid incorporating inside the XML arbitrary URL parameters and/or sanitize the input by encoding the characters “<>” with the corresponding entities “&lt; and &gt”.

Alt-n released a patch for the MDaemon software, reported in the references below.

Disclosure Timeline

  • 17 February 2022: Vulnerabilities discovered
  • 17 February 2022: CVE-ID requested at MITRE
  • 17-February-2022: Vendor contacted by email (1st time, no response)
  • 18-February-2022: CVE-ID assigned
  • 25-February-2022: Vendor contacted by email (2nd time, no response)
  • 25-February-2022: Vendor contacted by email (3rd time, vendor responded)
  • 08-March-2022: Vendor responded and released an update
  • 04-April-2022: Vulnerability disclosed
  • 05-April-2022: Issued CVE-ID CVE-2022-25356

Sources and references

Cyber defense: security e data protection in azienda
Cyber Risk Indicators: Infrastrutture critiche Italia

Pronto intervento Cyber Swascan

Contattaci per un supporto immediato

Il sottoscritto, in qualità di interessato DICHIARA di aver letto e compreso il contenuto della privacy policy ai sensi dell’articolo 13, GDPR. ACCONSENTE al trattamento dei Dati in relazione all’invio da parte del Titolare di comunicazioni afferenti alla gestione di eventuali misure precontrattuali, preordinate alla stipulazione e/o esecuzione del contratto con il Cliente nonché all'adempimento dei relativi obblighi.
Il consenso prestato potrà essere revocato in qualsiasi momento contattando il Titolare ai recapiti presenti nella citata privacy policy.