-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-005 Product: FireEye EX 3500, eMPS (Appliance) Manufacturer: FireEye Affected Version(s): eMPS 9.0.1.923211 Tested Version(s): eMPS 9.0.1.923211 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')(CWE-89) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2021-01-29 Solution Date: Release of 9.0.3 (date not publicly available) Public Disclosure: 2021-03-31 CVE Reference: CVE-2021-28969 Author of Advisory: Dr. Benjamin Hess, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: FireEye EX is an e-mail security appliance to detect and block unwanted e-mails. The appliance is primarily controlled via a WebGUI. The manufacturer describes the product as follows (see [1]): "FireEye Email Security detects and blocks every kind of unwanted email, especially targeted advanced attacks. Time and again, this solution has proven itself capable of detecting corporate email threats in traffic accepted as safe by other products." Due to missing sanitization of user-controlled input, the web application is vulnerable to SQL injection, allowing to extract data from the underlying database. The exploitation requires authorized access to the application, whereby low privileges are sufficient. Considering this aspect and the fact that such appliances are usually placed in separate networks with restricted access, the risk level is rated as "low". Note that this vulnerability is different from CVE-2020-25034 and affects newer versions of the software. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The vulnerability can be triggered when logging on to the WebGUI as an authenticated user and searching for processed e-mails. The vulnerability was successfully triggered with an active session for the role "monitor", but there are further roles with access to the e-mail search. Multiple SQL injection vectors were identified for the search parameter "sort_by". The underlying database management system is Postgres and the queries are executed as the user "postgres", which is a database admin allowing for full access to the database. However, stacked queries were not possible within the testing time, so that the exploitation is limited to pure read access to the database as a database admin. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Sending the following GET request using the cookies for an active session, such as in the role "monitor", demonstrates the successful exploitation: https://targethost.com/ex/message_tracking/messages?search%5Burl%5D=%25 &search%5Battachment%5D=&sort_by= Here, "" is the URL-encoded version of the following string: (SELECT (CASE WHEN () THEN 1 ELSE (SELECT 2525 UNION SELECT 7139) END)) In that case, "" needs to be replaced appropriately to carry out a boolean-based blind attack. If the condition is satisfied, the status code "200" is returned. If not, the status code "500" is returned. Similarly, the parameter can also be exploited via a time-based blind injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to the vendor, the vulnerability is fixed in version 9.0.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-01-27: Vulnerability discovered 2021-01-29: Vulnerability reported to manufacturer 2021-03-31: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for FireEye Email Security https://www.fireeye.com/products/email-security.html [2] SySS Security Advisory SYSS-2020-031 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/ SYSS-2021-005.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Benjamin Hess of SySS GmbH. E-Mail: benjamin.hess@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Benjamin_Hess.asc Key ID: 0x1331325C Key Fingerprint: D73C 3C3D 746C 66C3 D0AE BED8 7FD5 638E 1331 325C ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1zw8PXRsZsPQrr7Yf9VjjhMxMlwFAmBkBEcACgkQf9VjjhMx MlyhGhAAhjUTwJmxYdRQqTWUDzazxwbEa2fW9By4rRs3W4KVOC+ND9LMyebrU8/L YvohOIFRqbb2wGnwCDGJ8DfEWMVCzbiVaIAB+Zw3IuxXx2Du8tGLffYqpKahYg3h B4fJwSeoA70ZpmQXfa5S2I5SFezjC3A7s4+YBQPXKGtBCWb4Ztn06wQ+We4stvlY HZlIDl/HqOWWFr7V1QwKre7VODKdJGDwGlgaq5LbBCE1/q1BRgBBTaWdsksOtnd/ qEOtajjY7QHpsUI0Wi8T2o10vxyRl1rFXyqzozFWv7at+x3YvsQ4FTOaM1aqDQ1o UF+FgDymmTGC1G6P0RJvCRyArm0ybd3ILCs3b5T1ORg2oXccuRV+wJI37Piq9WH1 dytYMLCfhZCiVfDIjA6jtqftfgBjymhUnvdVaYZBfRUo42JuPi94qWkqLlkbW/nF NCPOkD4J8Np51cRlTiV9yTIvndIUG0nVYbqJLj4HGvIAFfqA2QQBks4UjYDM4Zy+ rktDPBvOvLqtasviGpQJxUwCy3Uo0ULsm3l7DqC0VAMxWdaXEJz/NjAVYqCuLeRd GwiqjcXUuZPhLCBeyBNIBgzybzr8/h9xBGrmzsmOokSIKgJoOvKqzWTqKC5+qKMg D4BngKrB+qkV39neNcA/1KLh5rGv7GmDkWZeT0zfdQeHyF33lEA= =qFf4 -----END PGP SIGNATURE-----