-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CVE-2017-15044: DocuWare FullText Search - Incorrect Access Control vulnerability Severity: High - ------------------------------------------ Vendor: DocuWare Europe GmbH Therese-Giehse-Platz 2 82110 Germering Germany - ------------------------------------------ Description: The default installation of DocuWare FullText Search server allows remote users to connect to and download and or modify all searchable text from the embedded Solr service, bypassing DocuWare's access control features of the DocuWare user interfaces and API. The vulnerability can be exploited remotely, and allows both escalation of priviledges and information disclosure. - ------------------------------------------ Additional Information: Based on the manual at http://help.docuware.com/en/#b57870t49903n78031 the default behaviour of DocuWare is as follows: "This shows the URL and the address of the Tomcat server that you are using for the full text in DocuWare. The URL of the connection set up by the system by default is "http://<hostname<:9013"." This default behaviour binds the embedded Solr server to the external network interface of the machine, and exposes all data to any HTTP client able to connect without access control or data security. While the manual makes reference to port 9013, the vulnerability was discovered in a server bound to port 9012 instead. - ------------------------------------------ Mitigation: To mitigate the issue, modify the server.xml file in the embedded Tomcat server that hosts Docuware Fulltext Search, and add address="localhost" to the container entries as follows: - --- server.xml-orig 2017-11-19 22:33:55.049241032 +0200 +++ server.xml 2017-11-19 22:33:19.307923621 +0200 @@ -66,7 +66,7 @@ APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 --> - - <Connector port="9012" protocol="HTTP/1.1" + <Connector port="9012" address="localhost" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <!-- A "Connector" using the shared thread pool--> @@ -88,7 +88,7 @@ --> <!-- Define an AJP 1.3 Connector on port 8009 --> - - <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> + <Connector port="8009" address="localhost" protocol="AJP/1.3" redirectPort="8443" /> <!-- An Engine represents the entry point (within Catalina) that processes For more complex deployments where limiting the client to localhost is not an option, see the Apache Tomcat manual on valve configuration as follows: https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Access_Control While placing the Docuware FullText Search Server behind a firewall may have offered some mitigation against this vulnerability, care must be taken to ensure that: - - The firewall blocked ports 9012/9013 and 8009; - - From the internet; and - - From users inside a corporate or internal network; and - - From other server machines, routers and any other devices that share the same network as Docuware Fulltext Search. It is prudent to assume that a typical firewall installation does not follow all of the requirements above, and to assume that all installations are therefore potentially vulnerable. - ------------------------------------------ Vulnerability Type: Incorrect Access Control. - ------------------------------------------ Affected Product Code Base DocuWare - 6.9 Appears to affect all versions in v6.x, including the most recent 6.11. - ------------------------------------------ Affected Component: DocuWare FullText Search - ------------------------------------------ Attack Vectors: To exploit the vulnerability, the attacker needs to point a web browser at the embedded DocuWare Fulltext Search server Solr application on the exposed port (9012/9013) and path (/solrt). ALternatively, port 8009 exposes the same service via the AJP protocol. Configure a reverse proxy to translate AJP into HTTP and use a web browser to view the data as described above. The full contents of the Docuware FullText Search server can be browsed, downloaded, modified or deleted using the Solr administration interface. - ------------------------------------------ References: https://www.docuware.com/document-management-products-and-services/docuware-premises http://help.docuware.com/en/#b57870t49903n78031 - ------------------------------------------ Disclosure Timeline: 2017-09-30: Vendor disclosure. 2017-10-05: CVE issued. 2017-10-24: Vendor acknowledgement of the security hole with Docuware internal bug number 203945, but no commitment for a fix: "Therefore we can’t specify any date or timeframe on which you can expect the problem to be fixed I’m afraid." 2017-10-25: Request for an arrangement for coordinated disclosure, request escalated internally, however request ignored. 2017-11-03: Second request for an arrangement for coordinated disclosure, request escalated internally again, however request ignored again. 2017-11-20: Full disclosure with details of mitigation. - ------------------------------------------ Discoverer: Graham Leggett <minfrin sharp fm> -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJaEpNIAAoJENOxP8os5gvtwtUP/1FCGjF/eqOg4RjC1fUs02R9 ecp6QIBtSV84MI+75HEa37rRL+OXYZ8PoEHagPI18EB7zPel5xCY04txbaBMCD5K PrEqh3Vi/iaCnPqyu5EmnjuNqzommJdG5Lbwb84kuxNUown1sn0ixBBfoPzwMXHP ud4UzXk6QlxOWIJ6XLtc3SlWvq/8hUsIg0KOdBY0ny8zgoLVrlaF2Tis5oCh7O+w Hd7qmkGzbm3h7KVv3oFTFZIcrojXJtH20ciWTnoh5j693hUW7fJqPxzjfFcW9z6G uK0iFEBF8SzJ/rOj7k5SURbyBmwJ2FWWKhc0odJl3P0fUphkk8WtgRc5k8cqFYdT 8p1y5FT9385knuWEDJrDuBoaBFGliEH/rzXNJXq8pBHZVmXNxtyqNo/kW/LFKJrc NAOl4TDdbURGThQWE7aZDLlzmau6twoi65/UrUkDrA+kW7zjcRsvwYz7KZmPFhoI a0D9KpLlJ56RKvczpc6ZOGBVgfQTkFS2mwQdgRPAX0AwT2sMiIYd6Fe7HRAs3Nij 0dmd1ip3/Ds/DA1p2R8ixdp2ZJxpkR0VXJ9x6Vcz/vl0M9uHlwWtL0owf9Ppg89x 38G/tJU3vja/o9h5wiVR6aFei0ixEQZVf/Q9g+Qwuko4RpG02E26GYW+kwsHpkvj 15Z3rwZoFA//UDX6HzeJ =eGad -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
