166 lines
No EOL
6.1 KiB
Text
166 lines
No EOL
6.1 KiB
Text
SEC Consult Vulnerability Lab Security Advisory < 20140716-3 >
|
|
=======================================================================
|
|
title: Multiple critical vulnerabilities
|
|
product: Bitdefender GravityZone
|
|
vulnerable version: <5.1.11.432
|
|
fixed version: >=5.1.11.432
|
|
impact: critical
|
|
homepage: http://www.bitdefender.com
|
|
found: 2014-05-22
|
|
by: Stefan Viehböck
|
|
SEC Consult Vulnerability Lab
|
|
https://www.sec-consult.com
|
|
=======================================================================
|
|
|
|
Vendor description:
|
|
-------------------
|
|
Bitdefender GravityZone lets enterprises control and protect the heterogeneous
|
|
environments of today. The solution combines highly optimized virtualization
|
|
aware security with leading detection technologies and a fresh, but proven,
|
|
architecture. It empowers administrators with features adapted to reduce the
|
|
daily security hassle and eliminate the need for point solutions with unified
|
|
protection across virtualized, physical, and mobile endpoints. Unlike other
|
|
solutions that bolt-on modules to an aging architecture, the GravityZone
|
|
Control Center dashboard has been designed specifically to unify monitoring
|
|
and security management in a single simple and accessible interface.
|
|
|
|
Source: http://download.bitdefender.com/resources/media/materials/business/en/datasheet-gravityzone-brief.pdf
|
|
|
|
|
|
Business recommendation:
|
|
------------------------
|
|
Attackers are able to completely compromise the Bitdefender GravityZone
|
|
solution as they can gain system and database level access.
|
|
Furthermore attackers can manage all endpoints.
|
|
|
|
The Bitdefender GravityZone can be used as an entry point into the target
|
|
infrastructure (lateral movement, privilege escalation).
|
|
|
|
It is highly recommended by SEC Consult not to use this software until a
|
|
thorough security review has been performed by security professionals and all
|
|
identified issues have been resolved.
|
|
|
|
|
|
Vulnerability overview/description:
|
|
-----------------------------------
|
|
1) Unauthenticated local file disclosure (Web Console, Update Server)
|
|
Unauthenticated users can read arbitrary files from the filesystem with the
|
|
privileges of the "nginx" operating system user. These files include
|
|
configuration files containing sensitive information such as clear text
|
|
passwords which can be used in further attacks.
|
|
|
|
Separate vulnerabilities affecting both Web Console and Update Server were
|
|
found.
|
|
|
|
|
|
2) Insecure service configuration / design issues
|
|
The MongoDB database which is offered via the network by default (TCP ports
|
|
27017, 28017) can be accessed using hardcoded credentials which can't be
|
|
changed. The overall system design requires the database to be accessible via
|
|
the network.
|
|
All relevant GravityZone configuration data can be accessed and changed. This
|
|
includes the user table.
|
|
|
|
Excerpt from the documentation describing the TCP port 27017:
|
|
"Default port used by the Communication Server and Control Center to access
|
|
the Database."
|
|
|
|
|
|
3) Missing authentication
|
|
Authentication is not required for certain scripts in the web UI. This
|
|
allows unauthenticated attackers to execute administrative functions without
|
|
prior authentication.
|
|
|
|
|
|
Proof of concept:
|
|
-----------------
|
|
1) Unauthenticated local file disclosure (Web Console, Update Server)
|
|
Arbitrary files can be downloaded via a vulnerable script:
|
|
https://<host>/webservice/CORE/downloadFullKitEpc/a/1?id=../../../../../etc/passwd
|
|
|
|
The Update Server is vulnerable to local file disclosure as well. Arbitrary
|
|
files can be downloaded using the following HTTP request:
|
|
|
|
GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
|
|
Host: <host>:7074
|
|
|
|
2) Insecure service configuration / Design issues
|
|
Attackers can connect to MongoDB on TCP ports 27017 and 28017 using the
|
|
following hardcoded credentials:
|
|
Username: <removed>
|
|
Password: <removed>
|
|
|
|
Detailed proof of concept exploits have been removed for this vulnerability.
|
|
|
|
3) Missing authentication
|
|
Authentication is not required for the following script:
|
|
/webservice/CORE/downloadSignedCsr (Unauthenticated certificate upload)
|
|
|
|
|
|
|
|
Vulnerable / tested versions:
|
|
-----------------------------
|
|
The vulnerabilities have been verified to exist in GravityZone 5.1.5.386,
|
|
which was the most recent version at the time of discovery.
|
|
|
|
|
|
|
|
Vendor contact timeline:
|
|
------------------------
|
|
2014-05-26: Sending responsible disclosure policy and requesting encryption
|
|
keys.
|
|
2014-05-26: Vendor responds providing encryption keys.
|
|
2014-05-26: Sending advisory and proof of concept exploit via encrypted
|
|
channel.
|
|
2014-05-26: Vendor confirms receipt.
|
|
2014-06-04: Requesting status update.
|
|
2014-06-14: Vendor provides status update. Update will be released "End of
|
|
June".
|
|
2014-06-26: Vendor provides status update. Update for issue #1 and #3 will
|
|
be released June 30. Update for issue #2 will be released at the
|
|
end of July.
|
|
2014-06-27: Requesting info about other affected products. Clarifying
|
|
disclosure of issue #2.
|
|
2014-07-09: Vendor confirms that update for issue #1 and #3 has been shipped
|
|
and KB article for issue #2 will be released.
|
|
2014-07-15: Requesting version numbers of affected products.
|
|
2014-07-16: SEC Consult releases coordinated security advisory.
|
|
|
|
|
|
|
|
Solution:
|
|
---------
|
|
Update to a more recent version of Bitdefender GravityZone _and_
|
|
implement mitigations for the issue #2.
|
|
|
|
More information can be found at:
|
|
http://www.bitdefender.com/support/how-to-configure-iptables-firewall-rules-on-gravityzone-for-restricting-outside-access-to-mongodatabase-1265.html
|
|
|
|
|
|
Workaround:
|
|
-----------
|
|
No workaround available.
|
|
|
|
|
|
Advisory URL:
|
|
-------------
|
|
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
|
|
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
SEC Consult Vulnerability Lab
|
|
|
|
SEC Consult
|
|
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
|
|
|
|
Headquarter:
|
|
Mooslackengasse 17, 1190 Vienna, Austria
|
|
Phone: +43 1 8903043 0
|
|
Fax: +43 1 8903043 15
|
|
|
|
Mail: research at sec-consult dot com
|
|
Web: https://www.sec-consult.com
|
|
Blog: http://blog.sec-consult.com
|
|
Twitter: https://twitter.com/sec_consult
|
|
|
|
EOF Stefan Viehböck / @2014 |