-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-006 Product: FireEye EX 3500, eMPS (Central Management) Manufacturer: FireEye Affected Version(s): eMPS 9.0.1.923211 Tested Version(s): eMPS 9.0.1.923211 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')(CWE-89) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2021-01-29 Solution Date: Release of 9.0.3 (date not publicly available) Public Disclosure: 2021-03-31 CVE Reference: CVE-2021-28970 Author of Advisory: Dr. Benjamin Hess, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: FireEye EX is an e-mail security appliance to detect and block unwanted e-mails. Multiple appliances are controlled by a central management unit, primarily via a WebGUI. The manufacturer describes the product as follows (see [1]): "FireEye Email Security detects and blocks every kind of unwanted email, especially targeted advanced attacks. Time and again, this solution has proven itself capable of detecting corporate email threats in traffic accepted as safe by other products." Due to missing sanitization of user-controlled input, the central management web application is vulnerable to SQL injection, allowing to extract data from the underlying database. The exploitation requires authorized access to the application, whereby low privileges are sufficient. Considering this aspect and the fact that such appliances are usually placed in separate networks with restricted access, the risk level is rated as "low". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The vulnerability can be triggered when logging on to the WebGUI of the central management as an authenticated user and searching for processed e-mails. The vulnerability was successfully triggered with an active session for the role "monitor", but there are further roles with access to the e-mail search. Multiple SQL injection vectors were identified for the search parameter "job_id". The underlying database management system is Postgres and the queries are executed as the user "webui", which is not a database admin. Furthermore, stacked queries were not possible within the testing time, so that the exploitation is limited to pure read access to the database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Sending the following GET request using the cookies for an active session, such as in the role "monitor", demonstrates the successful exploitation: https://targethost.com/cms/message_tracking/messages?sort=ASC&sort_by=1&offset=0 &num=25&search[url]=a&search[attachment]=a&job_id= Here, "" is the URL-encoded version of the following string: (SELECT (CASE WHEN () THEN 1 ELSE (SELECT 2364 UNION SELECT 3678) END)) In that case, "" needs to be replaced appropriately to carry out a boolean-based blind attack. If the condition is satisfied, the status code "200" is returned. If not, the status code "500" is returned. Similarly, the parameter can also be exploited via a time-based blind injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to the vendor, the vulnerability is fixed in version 9.0.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-01-27: Vulnerability discovered 2021-01-29: Vulnerability reported to manufacturer 2021-03-31: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for FireEye Email Security https://www.fireeye.com/products/email-security.html [2] SySS Security Advisory SYSS-2020-031 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/ SYSS-2021-006.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Benjamin Hess of SySS GmbH. E-Mail: benjamin.hess@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Benjamin_Hess.asc Key ID: 0x1331325C Key Fingerprint: D73C 3C3D 746C 66C3 D0AE BED8 7FD5 638E 1331 325C ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1zw8PXRsZsPQrr7Yf9VjjhMxMlwFAmBkBDgACgkQf9VjjhMx MlyRug/+NwtJbSVoeXiUsdwD546QvhGYj+EVTeLerqspZQLpEjFpY2Xa5+1xj+qp eHWUOLJC3fA2IjfoO191RYv2MBfIXLtOjdfgNFZmmPk0+RZYH/YllHqTuKV51sCT PXNsRAWV1BWqiWh1weVxBSEMx3t4icyySp0YW7xEXd065lLcSBOBqC9aOvD5UBx+ t0xLROSw08IFbFdwHMIqaV5JZiNRh8zhyD29ifsAoOcI8RIhnthhxjDGGFrr9O7F d49Z0tvNw0+AldLjghANQCHQKMX2/3bIFI+s1n/KPfFlmR4vAaIUZXypkNJHNFpz v4aA2T1cVsrnhIl0hsmk+qDpXYyRWfc+W/deTT30Kxj+ZTxoiS3TZtuSQ3SLAO63 uYdOVKY0M/8yngdFzUV4/XNHvTKWyzx72ieXB18xX4UFWFSH1L/4HPPAEoOGOhjv Z/8IAR02z7Rgym8c6FfL+Hh+rOWO98RuhEaB7PEBeOFz5u/nuumkHDmoO5PknDoJ Le5lhvWgENpnousXFj7h/kL6a0ULOOsXMDj7+ghNsxd6R3J7bb9PtwX7lZl/kLzH mj8ahbpFUYMlj9Dfx35QYYJxgsHKtW6rHFKIZDEOvRtkMcvsaFhURpNdYHn8Ffcj rV114KeGmL1xHOpCHQwINwNHmj1RxPvEHBAG6MRQLAT5huq3c90= =BGF+ -----END PGP SIGNATURE-----