CVE-2022-43699: Security Vulnerability in OX App Suite Before 7.10.6-rev30, Exploiting SSRF to Evade Deny-Lists

CVE-2022-43699 is a security vulnerability found in the Open-Xchange (OX) App Suite, versions before 7.10.6-rev30. This vulnerability allows an attacker to exploit Server-Side Request Forgery (SSRF) by crafting an email address such that the system misinterprets the domain, allowing an attacker to control the DNS records of an external domain bypassing any deny-lists in place.

References

This analysis is based on the original advisory in the Open-Xchange Security Bulletin and the CVE details as listed on the Official CVE Database.
- Open-Xchange Security Bulletin)
- Official CVE Database Record

Exploit Details

The vulnerability is present in the email account discovery feature of OX App Suite. By default, when an email address is introduced in the system, it checks for a configured mailbox's existence at the given domain. However, the system does not properly enforce the deny-list, thereby allowing an adversary to create a crafted email address with the host part controlled by them. As a result, the attacker can gain control over the DNS records and send unauthorized requests that can compromise the target's internal network.

Here is a simplified example of how an external attacker could exploit the OX App Suite

*Step 1:* The attacker configures an external malicious domain, for example, attacker-domain.example. The attacker has full control over the DNS records of this domain.

*Step 2:* The attacker crafts an email address in the format victim@attacker-domain.example.

*Step 3:* The attacker introduces the crafted email address into the OX App Suite system.

*Step 4:* Due to the improper handling of the deny-list, OX App Suite follows the DNS records of the external malicious domain and sends a server-side request to an unintended target, potentially allowing unauthorized access and attacks on the internal network.

Code Snippet

Below is a snippet of the OX App Suite vulnerable code segment, extracted from a hypothetical module of account discovery:

public class AccountDiscovery {
    private String userEmail;
    private String domain;
    private List<String> denyList;

    public AccountDiscovery(String userEmail, List<String> denyList) {
        this.userEmail = userEmail;
        this.denyList = denyList;
        this.domain = extractDomainFromEmail(userEmail);
    }

    private String extractDomainFromEmail(String userEmail) {
        // Code to extract domain from email address
    }

    public boolean isValidEmail() {
        // Improper handling of denyList check
        if (!denyList.contains(domain)) {
            // Sends server-side request to domain
            return true;
        }
        return false;
    }
}

Suggested Mitigation

The official Open-Xchange Security Bulletin has advised updating to OX App Suite version 7.10.6-rev30 or later to address this vulnerability. Users are strongly advised to update their OX App Suite to the latest version available.

Moreover, it is important to audit and strengthen the deny-list mechanism to ensure proper handling of malicious domains and prevent unauthorized SSRF attacks.

Timeline

Published on: 04/15/2023 02:15:00 UTC
Last modified on: 04/24/2023 19:46:00 UTC