Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer Appliance
Vendor: Accellion, Inc. Vendor URL: http://www.accellion.com/ Versions affected: FTA_9_12_40, FTA_9_12_51, FTA_9_12_110, others likely Systems Affected: Accellion File Transfer Appliance Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: TBD Risk: Critical
The Accellion File Transfer Appliance (FTA) is an alternative to traditional email and FTP services for file transfers. It presents a web interface for users to send and receive files.
The Accellion FTA has a pre-authentication blind SQL injection vulnerability in versions FTA_9_12_110 and earlier. While the nature of the vulnerability and the end-of-life version of MySQL installed on the appliance do not allow for wholesale data extraction with currently known blind SQLi techniques, the database user permissions allow for retrieval of local files. This, used in conjunction with session identifiers being sent in URLs and multiple hard-coded encryption keys, allows admin sessions to be hijacked. From the administrator panel, backup restoration functionality can be abused to write a PHP webshell inside the webroot on devices running versions prior to FTA_9_12_40. In later versions, publicly known local code execution vulnerabilities in MySQL v4.0.15 can be exploited. Either case, the final step results in unprivileged external attackers achieving arbitrary remote code execution.
/courier/security_key2.api, aid parameter
Unauthenticated attackers can execute arbitrary code on Accellion File Transfer Appliances with web server user privileges.
security_key2.api file does not properly parameterize database queries and includes the user-supplied parameter
aid in SQL queries. The SQL query affected appears to be either an UPDATE or DELETE query based on interaction with the vulnerable endpoint, but due to the obfuscated nature of the code, it is unknown as of this writing where exactly the flaw occurs.
The appliance uses MySQL v4.0.15, which lacks subquery support. As such, there is no currently known technique for wholesale extraction of data from the database. However, the
root database user is used and has the ability to read local files; the contents of these files can be retrieved using the SQL injection vulnerability.
The ability to read files grants the capability to read the Apache access logs. Since the appliance also places session identifiers in URLs, attackers can retrieve session identifiers using this flaw. For administrative sessions, this is one of two authenticators used. The second authenticator is a cookie whose value is generated as follows:
AES_cbc_encrypt(key=md5(session_id . manager_session_key), data=session_id)
manager_session_key is hard-coded and can be retrieved from the appliance using the SQL injection flaw. Using these two authenticators, attackers can hijack active administrative sessions.
The administration console allows for backups in the form of encrypted
.sql files to be restored. If the uploaded backup file bears the extension
.bak, a hard-coded key is used to decrypt the backup file.
The SQL backup file can be thought of as a series of SQL commands to be run against the database as the
root user. Since this user has permissions to interact with the local file system, attackers who have gained access to the administration console can use MySQL’s
INTO OUTFILE commands to write files on the local file system.
In FTA versions prior to FTA_9_12_40, attackers can write a PHP webshell into
/home/seos/courier/themes/templates/, which is writeable by users in the nobody group and is accessible through the web server. An attacker can then invoke such a script by visiting a URL like the following:
In later FTA versions, known code execution vulnerabilities in MySQL v4.0.15, such as CVE-2005-0710, allow for arbitrary code execution.
Update to version FTA_9_12_130 released by Accellion to address these issues.
2016-07-14 - NCC Group emails Accellion asking for security contact address 2016-07-14 - NCC Group receives automated response from technical support system 2016-08-02 - NCC Group sends follow-up email asking for a secure method for sending full advisory details 2016-08-02 - Accellion technical support rep 'A' notes that technical support attachments are uploaded via HTTPS and stored using encryptfs 2016-08-02 - NCC Group asks for support portal credentials 2016-08-02 - Accellion rep 'A' provides support portal credentials 2016-08-02 - NCC Group uploads advisory document to support portal 2016-08-03 - Accellion rep 'A' notes that the findings are in an old version of the FTA product, version 9_12_51, and that the latest version, 9_12_110, has a number of security fixes which may address the issues. Accellion asks if NCC Group can try to recreate the findings on the latest version 2016-08-09 - NCC Group informs Accellion that no environment is currently available for testing as the findings were discovered during a limited time engagement with a client 2016-08-09 - Accellion rep 'A' asks how the vulnerabilities were discovered if no environment is available for testing, and notes that the advisory does not cite or credit earlier research which found similar bugs in the same endpoint, which it believes to be a duplicate of an issue already fixed 2016-08-09 - NCC Group notes that the provided advisory is a distinct bug, and that in the version tested, the bug Accellion references (CVE-2016-2351) is patched 2016-08-09 - Accellion rep 'A' reiterates that it considers the bug a duplicate issue and questions why the placeholder text in the vendor communication claims first contact on January 1st, when NCC Group first contacted Accellion technical support on July 14th, detailing the measures taken to fix CVE-2016-2351 in version 9_12_40 2016-08-10 - NCC Group asks Accellion rep 'A' if this is Accellion's position as a company, and if so, if it has objections to the advisory document being finalized and published 2016-08-10 - Accellion rep 'A' asks NCC Group for a draft of the document to be published and for a 30-day time window to review the document 2016-08-10 - Accellion rep 'B' directly emails the original bug discoverer, again questioning the placeholder text in the advisory draft document, referring to the reported bug as a duplicate, implying that the reported bug does not exist, and offering to set up a publicly accessible system NCC Group can use to prove the vulnerability exists 2016-08-10 - Accellion rep 'C' attempts to contact the original bug discoverer by phone regarding "a legal matter" 2016-08-11 - NCC Group responds to Accellion 'B' to clarify that the bug has been proven in an older version that was patched against CVE-2016-2351, and offers to attempt to recreate the findings against the previously offered environment NCC Group assures Accellion that it will provide ample time to react to and patch the issue before publishing so long as Accellion wishes to coordinate in the disclosure process 2016-08-11 - Accellion 'B' apologizes for the confusion and provides a contact 'D' who provides a test system running 9_12_110 2016-08-12 - Accellion 'D' confirms the presence of the reported vulnerabilities in version 9_12_110 and proposes fixes 2016-08-12 - NCC Group provides feedback on proposed fixes and asks for some clarifying details 2016-08-16 - Accellion 'D' responds with the requested information 2016-08-16 - NCC Group provides further guidance on fixes 2016-08-18 - Accellion 'D' asks NCC Group to test if the findings are fixed in the test environment, noting the environment has been patched to 9_12_130 2016-08-19 - Accellion publishes an FTA update, version 9_12_130, to its customers 2016-08-21 - Accellion 'D' asks for an update on the retesting efforts, and requests that NCC Group wait 45 days after the release of the patch, and provides a copy of the disclosure document to Accellion to allow for commentary before final publication 2016-08-22 - NCC Group agrees to the delay period, and to provide a final draft to Accellion to check for accuracy 2016-08-24 - Accellion 'D' provides credentials for the test system 2016-08-31 - NCC Group confirms the SQLi fix to Accellion 'D' 2016-09-09 - Accellion 'A' asks if Accellion can include a statement in our advisory and if we can extend the delay period 2016-09-12 - Accellion 'D' asks for an update on retesting 2016-09-13 - NCC Group confirms the backup vuln fix to 'D' and asks for further information on how MySQL user privileges were fixed 2016-09-15 - Accellion 'D' provides a dump of MySQL user privileges for the root user 2016-09-15 - NCC Group declines to further extend the delay period and informs 'A' that we are already working with 'B' and 'D' 2016-09-27 - NCC Group notes that the MySQL root user should not be used for application tasks, and that the GRANT privilege can be used to overcome the disabled FILE privilege 2016-09-29 - Accellion 'D' acknowledges that the fix is a stopgap measure and that replacing the MySQL user is on the roadmap 2016-10-27 - NCC Group asks Accellion for an update 2016-10-31 - Accellion 'D' informs NCC Group that it published an update to its customers on August 19th 2016-12-09 - NCC Group informs Accellion that it is ready to publish and provides this document in its current state 2016-12-13 - Accellion 'D' replies, asking NCC Group to remove the hard-coded key values from the advisory, and to remove parts of the initial communication timeline before the vulnerability was validated 2016-12-13 - NCC Group agrees to remove the keys from the advisory document, but declines to remove entries from the communication timeline 2016-12-14 - Accellion 'D' asks for the timeline to be published in a less verbose format 2016-12-14 - NCC Group declines to change the timeline format, and provides the rationale behind the inclusion of a timeline of this format in advisory documents
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date:  17 February 2017
Written by:  Daniel Crowley