Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer Appliance

Vendor: Accellion, Inc.
Vendor URL: http://www.accellion.com/
Versions affected: FTA_9_12_40, FTA_9_12_51, FTA_9_12_110,
    others likely
Systems Affected: Accellion File Transfer Appliance
Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust>
Advisory URL / CVE Identifier: TBD
Risk: Critical

Summary

The Accellion File Transfer Appliance (FTA) is an alternative to traditional email and FTP services for file transfers. It presents a web interface for users to send and receive files.

The Accellion FTA has a pre-authentication blind SQL injection vulnerability in versions FTA_9_12_110 and earlier. While the nature of the vulnerability and the end-of-life version of MySQL installed on the appliance do not allow for wholesale data extraction with currently known blind SQLi techniques, the database user permissions allow for retrieval of local files. This, used in conjunction with session identifiers being sent in URLs and multiple hard-coded encryption keys, allows admin sessions to be hijacked. From the administrator panel, backup restoration functionality can be abused to write a PHP webshell inside the webroot on devices running versions prior to FTA_9_12_40. In later versions, publicly known local code execution vulnerabilities in MySQL v4.0.15 can be exploited. Either case, the final step results in unprivileged external attackers achieving arbitrary remote code execution.

Location

/courier/security_key2.api, aid parameter

Impact

Unauthenticated attackers can execute arbitrary code on Accellion File Transfer Appliances with web server user privileges.

Details

The security_key2.api file does not properly parameterize database queries and includes the user-supplied parameter aid in SQL queries. The SQL query affected appears to be either an UPDATE or DELETE query based on interaction with the vulnerable endpoint, but due to the obfuscated nature of the code, it is unknown as of this writing where exactly the flaw occurs.

The appliance uses MySQL v4.0.15, which lacks subquery support. As such, there is no currently known technique for wholesale extraction of data from the database. However, the root database user is used and has the ability to read local files; the contents of these files can be retrieved using the SQL injection vulnerability.

The ability to read files grants the capability to read the Apache access logs. Since the appliance also places session identifiers in URLs, attackers can retrieve session identifiers using this flaw. For administrative sessions, this is one of two authenticators used. The second authenticator is a cookie whose value is generated as follows:

AES_cbc_encrypt(key=md5(session_id . manager_session_key), data=session_id)

The manager_session_key is hard-coded and can be retrieved from the appliance using the SQL injection flaw. Using these two authenticators, attackers can hijack active administrative sessions.

The administration console allows for backups in the form of encrypted .sql files to be restored. If the uploaded backup file bears the extension .bak, a hard-coded key is used to decrypt the backup file.

The SQL backup file can be thought of as a series of SQL commands to be run against the database as the root user. Since this user has permissions to interact with the local file system, attackers who have gained access to the administration console can use MySQL’s INTO OUTFILE commands to write files on the local file system.

In FTA versions prior to FTA_9_12_40, attackers can write a PHP webshell into /home/seos/courier/themes/templates/, which is writeable by users in the nobody group and is accessible through the web server. An attacker can then invoke such a script by visiting a URL like the following:

[https://accellion.example.com/courier/themes/templates/shell.php]

In later FTA versions, known code execution vulnerabilities in MySQL v4.0.15, such as CVE-2005-0710, allow for arbitrary code execution.

Recommendation

Update to version FTA_9_12_130 released by Accellion to address these issues.

Vendor Communication

2016-07-14 - NCC Group emails Accellion asking for security contact address
2016-07-14 - NCC Group receives automated response from technical support system
2016-08-02 - NCC Group sends follow-up email asking for a secure method for
   sending full advisory details
2016-08-02 - Accellion technical support rep 'A' notes that technical support
   attachments are uploaded via HTTPS and stored using encryptfs
2016-08-02 - NCC Group asks for support portal credentials
2016-08-02 - Accellion rep 'A' provides support portal credentials
2016-08-02 - NCC Group uploads advisory document to support portal
2016-08-03 - Accellion rep 'A' notes that the findings are in an old version
   of the FTA product, version 9_12_51, and that the latest version, 9_12_110,
   has a number of security fixes which may address the issues. Accellion
   asks if NCC Group can try to recreate the findings on the latest version
2016-08-09 - NCC Group informs Accellion that no environment is currently available
   for testing as the findings were discovered during a limited time engagement
   with a client
2016-08-09 - Accellion rep 'A' asks how the vulnerabilities were discovered if no
   environment is available for testing, and notes that the advisory does
   not cite or credit earlier research which found similar bugs in the same
   endpoint, which it believes to be a duplicate of an issue already fixed 
2016-08-09 - NCC Group notes that the provided advisory is a distinct bug, and
   that in the version tested, the bug Accellion references (CVE-2016-2351)
   is patched
2016-08-09 - Accellion rep 'A' reiterates that it considers the bug a duplicate
   issue and questions why the placeholder text in the vendor communication claims
   first contact on January 1st, when NCC Group first contacted Accellion technical
   support on July 14th, detailing the measures taken to fix CVE-2016-2351 in
   version 9_12_40
2016-08-10 - NCC Group asks Accellion rep 'A' if this is Accellion's position as a
   company, and if so, if it has objections to the advisory document being
   finalized and published
2016-08-10 - Accellion rep 'A' asks NCC Group for a draft of the document to be
   published and for a 30-day time window to review the document
2016-08-10 - Accellion rep 'B' directly emails the original bug
   discoverer, again questioning the placeholder text in the advisory draft
   document, referring to the reported bug as a duplicate, implying that
   the reported bug does not exist, and offering to set up a publicly
   accessible system NCC Group can use to prove the vulnerability exists
2016-08-10 - Accellion rep 'C' attempts to contact the original bug
   discoverer by phone regarding "a legal matter"
2016-08-11 - NCC Group responds to Accellion 'B' to clarify that the bug has been proven
   in an older version that was patched against CVE-2016-2351, and offers to
   attempt to recreate the findings against the previously offered environment
   NCC Group assures Accellion that it will provide ample time to react to and patch
   the issue before publishing so long as Accellion wishes to coordinate in
   the disclosure process
2016-08-11 - Accellion 'B' apologizes for the confusion and provides a contact
   'D' who provides a test system running 9_12_110
2016-08-12 - Accellion 'D' confirms the presence of the reported vulnerabilities
   in version 9_12_110 and proposes fixes
2016-08-12 - NCC Group provides feedback on proposed fixes and asks for some
   clarifying details
2016-08-16 - Accellion 'D' responds with the requested information
2016-08-16 - NCC Group provides further guidance on fixes
2016-08-18 - Accellion 'D' asks NCC Group to test if the findings are fixed in the
   test environment, noting the environment has been patched to 9_12_130
2016-08-19 - Accellion publishes an FTA update, version 9_12_130, to its
   customers
2016-08-21 - Accellion 'D' asks for an update on the retesting efforts, and
   requests that NCC Group wait 45 days after the release of the patch, and
   provides a copy of the disclosure document to Accellion to allow for
   commentary before final publication
2016-08-22 - NCC Group agrees to the delay period, and to provide a final draft
   to Accellion to check for accuracy
2016-08-24 - Accellion 'D' provides credentials for the test system
2016-08-31 - NCC Group confirms the SQLi fix to Accellion 'D'
2016-09-09 - Accellion 'A' asks if Accellion can include a statement in our
   advisory and if we can extend the delay period
2016-09-12 - Accellion 'D' asks for an update on retesting
2016-09-13 - NCC Group confirms the backup vuln fix to 'D' and asks for further
   information on how MySQL user privileges were fixed
2016-09-15 - Accellion 'D' provides a dump of MySQL user privileges for the
   root user
2016-09-15 - NCC Group declines to further extend the delay period and informs
   'A' that we are already working with 'B' and 'D'
2016-09-27 - NCC Group notes that the MySQL root user should not be used for application
   tasks, and that the GRANT privilege can be used to overcome the disabled
   FILE privilege
2016-09-29 - Accellion 'D' acknowledges that the fix is a stopgap measure
   and that replacing the MySQL user is on the roadmap
2016-10-27 - NCC Group asks Accellion for an update
2016-10-31 - Accellion 'D' informs NCC Group that it published an update to its
   customers on August 19th
2016-12-09 - NCC Group informs Accellion that it is ready to publish and provides
   this document in its current state
2016-12-13 - Accellion 'D' replies, asking NCC Group to remove the hard-coded key
   values from the advisory, and to remove parts of the initial communication
   timeline before the vulnerability was validated
2016-12-13 - NCC Group agrees to remove the keys from the advisory document, but
   declines to remove entries from the communication timeline
2016-12-14 - Accellion 'D' asks for the timeline to be published in a
   less verbose format
2016-12-14 - NCC Group declines to change the timeline format, and provides the
   rationale behind the inclusion of a timeline of this format in advisory
   documents

Thanks to

HD Moore

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date:  17 February 2017

Written by:  Daniel Crowley

Filter By Service

Filter By Date