Missing Certificate Validation & User Enumeration in Anveo Mobile App and Server

Title

Missing Certificate Validation & User Enumeration

Product

Anveo Mobile App and Server

Vulnerable Version

Mobile App: 10.0.0.359 / 2016-07-13; Server: 11.0.0.5

Fixed Version

-

CVE Number

-

Impact

medium

Homepage

https://www.anveogroup.com/en/mobile-apps-for-dynamics/

Found

28.05.2023

By

Daniel Hirschberger (Office Bochum) | SEC Consult Vulnerability Lab

The Anveo Mobile App (Windows version) does not validate server certificates and therefore enables man-in-the-middle attacks. The Anveo Server is also vulnerable against user enumeration because of different error messages for existing vs. non-existing users. The vendor was unresponsive and did not reply to our communication attempts and even deleted our comment to request a contact on LinkedIn, see the timeline section further below.

Vendor description

"Create your own individual Mobile App with Anveo. Our base, out of the box solutions offer many useful functions, and can be flexibly adapted to your requirements: the Anveo Service App, Anveo Sales App, and Anveo Delivery App. You are looking for a mobile App for a different scenario? Not a problem with the Anveo Mobile App Builder! Thanks to the toolkit character of the solution, configuration of a completely new, custom App is simple."

Source: https://www.anveogroup.com/en/mobile-apps-for-dynamics/


Business recommendation

The vendor was unresponsive and did not reply to our communication attempts and even deleted our comment to request a contact on LinkedIn, see the timeline section further below.

There is no solution known to us for this security issue. In case you are a customer of Anveo, request an update from them about the issue. Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues.


Vulnerability overview/description

1) Missing Certificate Validation

The Windows application was tested which does not perform certificate validation and is therefore vulnerable to man-in-the-middle attacks which might allow an attacker to gain access to sensitive data.

2) User Enumeration

The login is vulnerable to user enumeration because the error message for a non-existent user differs from the error message when a user exists. This allows an attacker to perform targeted brute-force attacks and potentially take over other user accounts.

Proof of concept

1) Missing Certificate Validation

The application does not validate the server certificate. To verify this, a new self-signed certificate was created with the openssl commandline tool.

Afterwards, an openssl server was spawned with netcat:

[ POC removed]

When adding a new account in the application with the IP and port of this server, a connection is attempted. Now a special string has to be sent from the netcat listener to the client.

As a response, the client tries to authenticate against the server with the username and password:

The part between <EOS> and <EOSC> can be base64-decoded and decompressed with zlib which yields the following output:

[ POC removed ]

The "PW" Parameter contains the base64-encoded password, in this case "unknown".


2) User Enumeration

When a non-existent user tries to login, the error message shows "Cannot find user". When a valid username but a wrong password is submitted, the server responds with "Username or password is not correct".

Vulnerable / tested versions

The following version has been tested:

  • Application version 10.0.0.359 / 2016-07-13 (the Windows version was tested)

The vendor did not respond to our communication attempts, hence it is unknown whether further versions are affected as well.


Vendor contact timeline

2023-06-12 Contacting vendor through email info@AnveoGroup.com, Asking for security contact, no response
2023-06-26 Contacting vendor through same email again, no response.
2023-07-24 Contacting vendor through technical support email support@AnveoGroup.com, Asking for security contact again, no response.
2023-09-15 Contacting vendor again through info@AnveoGroup.com, support@AnveoGroup.com and datenschutz@AnveoGroup.com. Ticket got automatically created, but no response.
2023-09-19 Posted a message/comment on LinkedIn at Anveo Group to contact us. Besides a few profile views from employees (Team Lead Anveo Mobile App, Social Media Marketing, CEO) no response. Our comment then got deleted by Anveo Group. Comment: "Hi Anveo Group, we have been trying to reach your company since June through our responsible disclosure process as we have identified some security issues in your products. We never received any response via multiple email addresses (found on your website). Could you please get in touch with us and provide us with a person responsible for security? Thank you!"
2023-09-20 Contacting third party whether they received a patch; no response.
2023-10-09 Contacting again; no response.
2023-10-23 Contacting again; no response.
2023-11-17 Final attempt, asked third party for info again, tried to contact "support@anveogroup.com" through ticket again. No response from vendor, but third party replied, that they also did not receive any response from Anveo.
2023-11-28 Public release of security advisory.

Solution

The vendor was unresponsive and did not reply to our communication attempts and even deleted our comment to request a contact on LinkedIn, see the timeline section.

There is no solution known to us for this security issue. In case you are a customer of Anveo, request an update from them about the issue. Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues.

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

EOF Daniel Hirschberger / @2023

 

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back