CVE-2022-43699 - Exploiting SSRF in OX App Suite Through Email Account Discovery

A serious Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2022-43699, was discovered in the Open-Xchange (OX) App Suite before version 7.10.6-rev30. The flaw allows attackers to bypass security restrictions intended to protect the server from making dangerous network requests. The vulnerability hides in a particularly tricky code path: the *e-mail account discovery* function does not properly enforce the server's deny-list, leading to potential abuse by attackers who control DNS records.

This deep dive will explain how CVE-2022-43699 works, show you what makes it exploitable, and examine proof-of-concept code so you can understand the real-world risks. If you operate OX App Suite, you should absolutely read on.

The Vulnerability: SSRF in OX App Suite Email Discovery

OX App Suite is a popular collaboration and email platform. When users add a new email account, the Suite tries to help by automatically discovering the right IMAP/SMTP server settings for the given address. This “auto-discovery” feature works by making server-side HTTP requests to lookup records linked to the email’s domain.

What Went Wrong

Unfortunately, in versions before 7.10.6-rev30, the server does not respect the configured deny-list (i.e., a list of forbidden IPs like 127...1 or 169.254.x.x) during auto-discovery. This means an attacker can supply an e-mail address with a domain they control—say, attacker.com—and point that domain’s DNS to whatever host they want, including internal company servers.

The result? The OX App Suite server will make arbitrary requests on behalf of the attacker, potentially exposing sensitive data or services.

Example of Exploitation

Suppose you, the attacker, own evil.com. You set up DNS for a subdomain to point to the secret admin panel inside the target internal network (e.g., admin.secret.local). If OX App Suite is vulnerable, you can trick it into sending HTTP requests (or even IMAP/SMTP requests) to this internal host.

Control a Malicious Domain:

Register a domain like evil-attacker.com. Set up its DNS to resolve to an internal IP or resource inside the victim's private network.

Craft a Malicious Email Address:

Use an email address such as bob@evil-attacker.com when prompted to add a new account in OX App Suite.

Trigger Auto-Discovery:

Enter this email in the "Add Account" feature. OX App Suite’s discovery routine makes a “well-known” request based on the DNS for evil-attacker.com.

Server-Side Request:

The OX server, thinking it is contacting a legitimate external server, sends a request to the address evil-attacker.com, but per your DNS, this actually points to something like 10...100 (an internal admin tool).

Deny-List Skipped:

Because of CVE-2022-43699, any supposedly protected IP ranges are ignored—the server will happily try to connect.

Exploit Proof-of-Concept (PoC)

Below is a Python script that demonstrates the key concept. (This is not a full exploit, but models the kind of DNS manipulation attackers use.)

# Example PoC for DNS manipulation in SSRF
import dns.resolver

# The attacker controls 'evil-attacker.com'
# and makes it resolve to an internal IP address

domain = "evil-attacker.com"

# Attacker's DNS zone for 'evil-attacker.com':
# @  IN  A  127...1  (or to some internal host like 10...1)

# When OX App Suite auto-discovers an email such as bob@evil-attacker.com,
# it runs DNS queries like:

try:
    answers = dns.resolver.resolve(domain, 'A')
    for rdata in answers:
        print("Resolved IP Address:", rdata.address)
        # OX App Suite would now try to connect to this IP,
        # ignoring any deny-list protections
except Exception as e:
    print("DNS resolve failed:", e)

# In a real attack, the server would now issue an HTTP (or IMAP/SMTP) request
# to a forbidden internal host, thus leaking or attacking internal services.

If you run OX App Suite version before 7.10.6-rev30, you are likely vulnerable.

- Review your server logs for “email auto-discovery” requests resolving to internal IPs or suspicious domains.

Ensure the deny-list in your configuration is properly enforced and regularly updated.

- Use network controls (firewall rules) to block outbound traffic from the App Suite server to internal addresses and sensitive cloud metadata services.

Official References

- OX Security Advisory OXSA-2022-0018
- NVD Entry for CVE-2022-43699

Conclusion

CVE-2022-43699 is a classic example of how SSRF bugs often lurk in helpful “metadata” features (like email auto-discovery) and how skipping deny-lists can have serious consequences. If you manage OX App Suite, make sure you patch quickly and audit your discovery and request features for similar issues.

Always be wary when software accepts external input—even in something as innocent as an email address domain. Attackers can often twist it to their own ends.

Timeline

Published on: 04/15/2023 02:15:00 UTC
Last modified on: 04/24/2023 19:46:00 UTC