-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-044 Product: Secure File Sharing Vendor: Serv-U Affected Version(s): Serv-U 15.1.2.189 and below Tested Version(s): Serv-U 15.1.2.189 Vulnerability Type: Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93) Risk Level: Medium Solution Status: Fixed Vendor Notification: 2015-07-23 Solution Date: 2015-11-04 Public Disclosure: 2015-11-09 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: A Mail Header Injection vulnerability could be identified in the Serv-U Secure File Sharing application. The Serv-U Secure File Sharing is described as follows [1]: "Secure file sharing lets users send files to and request files from anyone. When deployed in your data center, Serv-U Managed File Transfer Server provides this popular “ad hoc” file transfer service to your end-users on your existing infrastructure, and under the control of your existing security policy." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Using a crafted subject inside an upload or download request it is possible to inject additional email headers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Use the Subject: "Test Cc: additional-recipient@example.com" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information by Serv-U, a HotFix for the described security issue is available at [2]. Please contact the manufacturer for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-07-06: Vulnerability discovered 2015-07-23: Vulnerability reported to vendor 2015-07-30: Reported vulnerabilities again as the vendor did not respond to the first e-mail 2015-08-31: Reported vulnerabilities again as the vendor did not respond to the first e-mails 2015-09-16: Rescheduling of the publication date in agreement with the manufacturer. 2015-11-09: Public release of security advisory on agreed publication date ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Serv-U, Secure File Sharing http://www.serv-u.com/secure-file-sharing [2] Serv-U, HotFix for Secure File Sharing http://downloads.solarwinds.com/solarwinds/Release/HotFix/SU-v15.1.2-HotFix2.zip [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Franz G. Jahn and Philipp Buchegger of the SySS GmbH. E-Mail: franz.jahn (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE E-Mail: philipp.buchegger (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Philipp_Buchegger.asc Key ID: 0xBB6747E8 Key Fingerprint: 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWPMtpAAoJENWmFJbQahTeKi4P/jr7Q4Ag+ebrPlDm1q/AI3wn Uz7Vmt5QrXKIHuQfT6yteXZv0GuVYMatVuSIwtuZ6Tv225sdqZnY8sbASyQPQ38f WTmiKKlji/61dpmXZTEOV2eNVQIUwtwPkGnt+MhH3vKxUamG69vb+Uv6stkudtWj MgdroMFpBiKzU9ZPkTNnwBpTDLfCHOvU/brCxLBCKiOUAUKlOsoOk2/9EJ5/kCG1 f5xPnL1l5deGqYP1kTPjZ9M7Rxy89uqKJF6bqAMYYCiuQqygga5qKRaLkOxJzBO2 aziTH6aBCls0Jji72/UvTnxNnCxnUVu0DVxRe6lPKfRPM+3O7Yln5PQ2go0sT7+2 S7UzClt09kTEnw1czT5T6X41ymAVFvczLcG6JlWuX9K7Cb7+14HpqbSEpH/fKRWi ESwz4UKeerNUqgqmoohzNd+7sWPCgyvsbssnP6BpcCG2tST693kIvR3Z46MSj6i7 GAbwpuB7E0k5fAi99oC2TJNgDDfCYIoGZ0Ha/Vr7Jpt/iiPGRWNp5andkGFeUHr2 xhCp8JU9gKFVszDiIjMgmo76yvlRJsJNwtW6wS3nn5tKmuz7a/vKtds11/V8Uoh0 x67kIZRLnaz5TpTEJARfgHHRsrzB+BJXsrqR033U+/wXVOObu69zSnUYL+dr7Hq5 txRmbOwGDBgbH3cNQMAK =SRPM -----END PGP SIGNATURE-----