-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-013 Product: CI-Out-of-Office Manager Manufacturer: ci solution GmbH Affected Version(s): <= 6.0.0.77 Tested Version(s): 6.0.0.71, 6.0.0.75, 6.0.0.77 Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321) Use of Weak Credentials (CWE-1391) Insufficiently Protected Credentials (CWE-522) Violation of Secure Design Principles (CWE-657) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-03-15 Solution Date: 2024-05-08 Public Disclosure: 2024-05-17 CVE Reference: CVE-2024-33849 Author of Advisory: Jürgen Zöller, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: CI-Out-of-Office Manager allows users to set out-of-office messages in Outlook, Exchange and Microsoft 365. The manufacturer describes the product as follows (see [1]): "Der CI-Out-of-Office Manager ist unsere umfassende Software-Lösung um Abwesenheitsnotizen unternehmensweit zu vereinheitlichen und zentral zu steuern." Due to a weak, hardcoded key used to encrypt the password of a shared service user in a global configuration file, the software is vulnerable to account takeover. As the software manual instructs administrators during installation to add this service user to the domain-administrative group "Administrators", to use all software features[2] and install the software on a network share which is accessible to all domain users[3], this allows all users with file access to immediately take over the connected Active Directory domain. Even if no full domain-administrative rights are given to the application, its service user still needs the "ApplicationImpersonation" exchange management role which grants access to the mailboxes of all connected users. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The software saves the credentials associated with its service user in the XML file "ci-oof.xml" in the same folder as the executable. A regular user has read access to this configuration file, as it is necessary for the functioning of the application. The option elements with the attributes "User" and "Password" are used to store the credentials of the domain user in an encrypted format. The values for the username and password are Base64-encoded and encrypted with AES using a hardcoded key contained within the CI-Out-of-Office Manager executable "ci-OOF.exe". The AES initialization vector (IV) necessary for decrypting the value is saved as the first 16 bytes of the Base64-decoded byte stream. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH developed a proof-of-concept software tool for recovering cleartext values stored within the CI-Out-of-Office Manager configuration file "ci-oof.xml". > python3 decryptor.py 'GfHTCJR15I8vuQrn9xV22NsvM4CwaMGBoq0MfrqBH5mrcmV4lL+knJF5HdnwqfqP' CI-Out-of-Office Manager Password Decryptor v1.0 by Jürgen Zöller - SySS GmbH (c) 2024 [+] Decrypted password: Sup3r_5ecr3t_P4ssw0rd! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Instead of the inherently unsafe use as a desktop client, CI-OOM should only be used via the web interface[4]. Access to the configuration files should be limited to administrators. The product manual was adjusted to reflect this recommendation. The standalone configuration (in which the application is used directly from the share) remains vulnerable[5]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-03-12: Vulnerability discovered 2024-03-15: Vulnerability reported to manufacturer 2024-04-25: Communication regarding mitigations with manufacturer 2024-05-08: Documentation adjusted to recommend setup as web application 2024-05-17: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for CI-Out-of-Office Manager (German) https://www.ci-solution.com/produkte/oof-abwesenheitsassistent.html [2] "Fügen Sie den neu angelegten Benutzer in die Gruppe 'Administratoren' ein. (Dies ist nur erforderlich, wenn Weiterleitungen über LDAP (Active Directory) erfolgen sollen)" German Handbook, Version 6.0.52, Page 11 of 93. https://www.ci-solution.com/fileadmin/downloads/ci-oof/handbuch.pdf (Downloaded on March 14, 2024, at 12 p.m.) [3] "Da der CI-Ouf-of-Office Manager keine installation benötigt ist dieser auf ein Freigabe zu legen, da letztlich alle Benutzer Termine planen können und somit Zugriff auf die Freigabe haben sollten." German Handbook, Version 6.0.52, Page 12 of 93. https://www.ci-solution.com/fileadmin/downloads/ci-oof/handbuch.pdf (Downloaded on March 14, 2024, at 12 p.m.) [4] Online documentation regarding setup of CI-OOM as web application (German) https://www.ci-solution.com/support/de/ci-oof/ci-oof-manager-6/ci-out-of-office-web-schnittstelle/ [5] Online documentation regarding the danger of using CI-OOM from a share (German) https://www.ci-solution.com/support/de/ci-oof/ci-oof-manager-6/konfig/sicherheit/ [6] SySS Security Advisory SYSS-2024-013 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-013.txt [7] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jürgen Zöller of SySS GmbH. E-Mail: juergen.zoeller@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Juergen_Zoeller.asc Key ID: 0xA55C06902A34886E Key Fingerprint: F279 067D A805 F18E BB71 E876 A55C 0690 2A34 886E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8nkGfagF8Y67ceh2pVwGkCo0iG4FAmZCIK8ACgkQpVwGkCo0 iG60Dg//ZYZz4auJLtjVE1fGVTvx7ddAQhv5vunHjpVxL64ESAgrJz2izq0vuVgs x7E/hdLKYTTsUdd7KR0FopemKhb7DI7boEi9j403CTFupOsSc34YLPEHPtJ2WsWC DQVPR8/AkT4I5xJ2KBkIcHK43luhX7ZIicMz5GJF7ZRTsfVw1/9MyCw50xCv1Tt/ NTA4NKuncfLDSQ+bm4xl4pqJz6G36VQIvW7ozUwr0ZfC+pZo826WiaF7xDaOHgZw 6v9YcikeaNcNRFCHJtVD7cVodzYu/nqkPGXZYYxEqXBDtRA/nw0a7wYTI+sHUp09 Q/ilqvihGxtPCW0CCMuv4aN36HsrqATQfySIdX1VqJTaT2KqnjQ4eAcAr+t18aiF WeHgcpI01RXVPYXt5f67vRkUf6/HcOd6+4M4+YwvC4c6WNfJbvOw7E0mMXz4KJoy VCiEBcJ/BJXJBDZQxAkwEqvVFCCMdPjLrXepT7IZ4raqgSQskDscyBtR9/jIFC8Z KbBIsYnocTwyWCQI6lsgfm7BIuCXc1IKPy+wd1Pts8sXxFuJURgnHsXavtB11ksH 5DzzktcibEGHg32zTQt/D3ZGOhoorK5yotzRm4AKKKXMWKhPmgVLlSO/JH72cV0w aRjjkJIttV2YJ+SlocBGMiRPx6nSZ+KTq9v4Hcix/or7Qk0w79g= =GV+E -----END PGP SIGNATURE-----