CSS11-01: Proofpoint Protection Server Multiple Vulnerabilities
May
2, 2011
Background
The Proofpoint Enterprise Protection™ protects
mission-critical email infrastructure from outside threats including spam,
phishing, unpredictable email volumes, malware and other forms of objectionable
or dangerous content before they hit the enterprise perimeter. (Source: http://www.proofpoint.com/products/enterprise-protection-email-security.php)
Summary
The Proofpoint Protection Server contains multiple
vulnerabilities including authentication bypass, command injection, SQL
injection, directory traversal, and insufficient authorization checks for
authenticated pages.
Clear Skies Security conducted the testing of the Proofpoint
appliance in the course of performing a standard Penetration Test for a
customer. Thorough testing of the Proofpoint appliance was not the goal of this
project; as such, this advisory is not intended to encapsulate all
vulnerabilities associated with the appliance, and it is possible that
additional instances of the discovered vulnerabilities may be present in other
areas of the appliance interface.
Severity Rating
Rating:
High Risk - CVSS 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Impact: Multiple Vulnerabilities
Where: Remote
Technical details
Enduser Authentication Bypass
User-level access to the Proofpoint mail filter web
interface can be obtained as any available user without providing the user’s
login credentials.
Path traversal allows
access to system files
Arbitrary files on the Proofpoint appliance can be obtained
by manipulating a flaw in the web interface.
Proofpoint SQL Injection
A publicly accessible function in the Proofpoint interface
is vulnerable to SQL Injection.
Proofpoint command injection
A function in the Proofpoint web interface can be
manipulated into executing any command on the server.
Proofpoint
Forced Browsing / Insufficient Page Authorization
Some administrative modules are accessible without
authenticating with the application.
Threat Evaluation
An attacker can use these flaws to compromise the Proofpoint
Protection Server, and gain access to application data, configuration files,
log files, and shell access. Anyone
with the ability to manipulate web application calls can exploit these
vulnerabilities. Only minimal skill
is required for all the vulnerabilities except the authentication bypass. All of these findings can easily be incorporated
into existing exploitation frameworks and security testing tools.
Identifying Vulnerable installations
Administrators can identify the current version in use by
going to the administration console and viewing the version displayed on the
login page. Versions equal to and less
than those identified in the Solutions section below are vulnerable.
Detecting Exploitation
The web server log files may provide an indication when this
vulnerability is exploited. If
other controls are in place such as network traffic monitors, IDS/IPS, or web
filters, these should be configured to alert and block on payloads containing path
traversals, SQL and command injection attack patterns.
Affected Software
These vulnerabilities have been confirmed to affect the
Proofpoint Protection Server. The
version displayed on the web application login page, port 10000, displays 6.0. However, once shell access was obtained the
following version was observed.
Proofpoint Messaging Security
Gateway 6.2.0.263:6.2.0.237
Solution
The vendor has released patches for affected versions to
address this issue. Customers are
strongly encouraged to apply the update as soon as possible. Refer to https://support.proofpoint.com/article.cgi?article_id=338413
for instructions. (CTS username and password required) for upgrade instructions.
Recommended Workaround
Restrict access to the Proofpoint web application,
especially the admin functionality either with network ACLs and/or an
additional layer of authentication such as VPN. If an Intrusion Prevention System or Web
Application Firewall is in place, it may be possible to configure blocking
rules that match SQL statements, relative directory paths (“../”) and null bytes (%00).
Consider rejecting any string containing characters outside the pattern
[a-zA-Z1-9\.-\@].
The vendor has provided the following version
and patch data:
|
Version
|
Patch
Number
|
|
5.5.3,
5.5.4 and 5.5.5
|
Patch 1044
|
|
6.0.2
|
Patch 1045
|
|
6.1.1
and 6.2.0
|
Patch 1046
|
Vulnerability ID
United States Computer Emergency Readiness Team - VU#790980
http://www.kb.cert.org/vuls/id/790980
Time Table
2011-02-02 – Vendor notified.
2011-02-22 -
Vendor released patched software
2011-05-02 -
Public notification
Credits
Scott Miles, Clear Skies Security, identified these flaws.
Legal Notices
Disclaimer: The information in the advisory is believed to
be accurate at the time of publishing and is subject to change without notice.
Use of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. The author is not
liable for any direct, indirect, or consequential loss or damage arising from
use of, or reliance on, this information.
Copyright © 2011 Clear Skies Security, LLC.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express written
consent of Clear Skies Security. To reprint this alert, in whole or in part, in
any other medium other than electronically, please e-mail info (at) clearskies
(dot) net for permission.
