Multiple vulnerabilities in CTERA Portal

SEC Consult Vulnerability Lab Security Advisory < 20130605-0 >

=======================================================================

title: Multiple vulnerabilities in CTERA Portal

product: CTERA Portal

vulnerable version: 3.1

fixed version: 3.2

impact: Critical

homepage: www.ctera.com

found: 2013-02-04

by: Stefan Streichsbier

SEC Consult Vulnerability Lab

=======================================================================

 

Vendor description:

-------------------

CTERA Portal is a scalable cloud service delivery platform that enables the

creation, delivery and management of cloud storage applications, including

file sharing and sync, backup, and mobile collaboration.

 

Full details:

www.ctera.com/products/products/ctera-portal-cloud-storage-delivery

 

 

Business recommendation:

------------------------

By exploiting the XXE vulnerability, an unauthenticated attacker can get full

read access to the filesystem of CTERA portal as root user and thus obtain

sensitive information such as the root password hash from the /etc/shadow

file, which, after being cracked in a short time, was revealed to be quite

simple and presumably the same for all CTERA Portal installations.

Furthermore, by default it is possible to login as the root user using SSH,

which potentially allows attackers to fully take over unsecured CTERA Portal

installations.

 

 

The recommendation of SEC Consult is to immediately upgrade to version 3.2

and secure the SSH service by only allowing public key authentication.

 

 

Vulnerability overview/description:

---------------------------------------------

1.) Outdated Tomcat Version

 

The installed version of tomcat is outdated and several vulnerabilities are

publicly known for it.

 

2.) Bypass of Temporary Account Locking

 

The main login functionality provides a security feature that temporarily

locks the account after 5 failed authentication attempts. This can be

bypassed by using the WEBDAV functionality which relies on HTTP Basic

Authentication.

 

3.) Permanent Cross Site Scripting

 

The webdav functionality allows embedding of Javascript code in file names.

This can be misused to e.g. upload a file with a specifically crafted filename

to a public shared folder that becomes accessible for each user of a certain

group. If any other user accesses this shared public folder over the web

interface that specific user account can be taken over.

 

4.) XML External Entity Injection

 

The used XML parser is resolving XML external entities which allows attackers

to read files and send requests to systems on the internal network

(e.g port scanning). The risk of this vulnerability is dramatically

increased by the fact that it can be exploited by anonymous users without

existing accounts and that the Tomcat server and thus the XML parser is

running as root user. Attackers are able to read the root password hash from

/etc/shadow and crack it within minutes. If the default SSH service

configuration has not been secured, attackers can subsequently login to the

CTERA portal via SSH as the root user and fully take over control of the

system.

 

 

Proof of concept:

-----------------

Due to the potential impact, no proof-of-concepts are disclosed.

 

 

Vulnerable / tested versions:

-----------------------------

3.1

 

 

Vendor contact log:

------------------------

2013-02-26: Affected client sent report with vulnerability descriptions to

vendor.

2013 March-May: Vulnerabilities have been analysed and a timeline for

releasing patches has been scheduled. First round of patches has been

published.

2013-06-05: SEC Consult releases coordinated security advisory.

 

 

Solution:

---------

Upgrade to version 3.2 and configure public-key-only authentication for SSH.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

Secure your WordPress with MVIS Security Center!

www.sec-consult.com/en/Portfolio/Services/MVIS-Security-Center.htm

 

EOF Stefan Streichsbier / @2013