Security Advisory: Alt-n Security Gateway (CVE-2022-25356)

Swascan Offensive Security Team has identified 1 vulnerability on Alt-n Security Gateway product, the vulnerability was found during a Penetration Test.

Product description

Alt-n develops and manufactures products and solutions for companies to help them be more safe against phishing attacks, malwares and much more, Security Gateway accomplishes that goal giving protection from external/internal email threats.

Swascan worked together with Alt-n in order to fix this vulnerability.

Technical summary

Swascan’s Cyber Security Team found an important vulnerability on: Security Gateway

VulnerabilityCVSSv3.1Severity
Unauthenticated registration key disclosure through XML Injection7.5 HighAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

In the following section the technical details about this vulnerability, including evidence and a proof-of-concept.

Vulnerability details

Unauthenticated registration key disclosure through XML Injection

Description

In Alt-n Security Gateway product, a malicious actor could inject an arbitrary XML argument by adding a new parameter in the HTTP request URL. In this way the XML parser fails the validation process disclosing information such as kind of protection used (2FA), admin email and product registration keys.

Proof of Concept

The following POC will inject an arbitrary XML argument in the processed XML retrieving the SecurityGateway configuration through the error message:

# curl -kis “http://<target>/SecurityGateway.dll?view=login&redirect=true&9OW4L7RSDY=1”

The result of the previous curl is the following:

Figure 1  Security settings, admin information and product registration key disclosed
Figure 2  Working registration key for product update

Impact

An attacker can use the information retrieved to try to authenticate as admin user through brute force attacks, password guessing or using compromised credentials, (since the admin email address used is known).  The product registration keys can be compromised as well.

Remediation

The application should not trust user input and avoid incorporating inside the XML arbitrary URL parameters and/or sanitize the input by encoding the characters “<>” with the corresponding entities “&lt; and &gt”.

Alt-n released a patch for the MDaemon software, reported in the references below.

Disclosure Timeline

  • 17 February 2022: Vulnerabilities discovered
  • 17 February 2022: CVE-ID requested at MITRE
  • 17-February-2022: Vendor contacted by email (1st time, no response)
  • 18-February-2022: CVE-ID assigned
  • 25-February-2022: Vendor contacted by email (2nd time, no response)
  • 25-February-2022: Vendor contacted by email (3rd time, vendor responded)
  • 08-March-2022: Vendor responded and released an update
  • 04-April-2022: Vulnerability disclosed
  • 05-April-2022: Issued CVE-ID CVE-2022-25356

Sources and references

Security Advisory: Forma LMS (CVE-2022-27104)
Emotet: signature-based evasion & malleable executable

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.