(2019/7/5) Reporting Critical and High CVEs that can Leak Sensitive Information from a Popular Official Document Editing System

Our Red Team has reported CVE-2019-11232andCVE-2019-11233, pointing out that a popular official document editing system has two major risks of leaking sensitive information. The risks can be categorized in OWASP TOP 10 2017 A3-Sensitive Data Exposure. Due to the wide range of affect, those are assigned with risks scores “9.8 Critical” and “7.5 High” from CVSS v3.0.

  • CVE-2019-11232allowing an attacker to access user passwords without being authenticated. The exposed passwords are either stored in plaintext or insecure MD5 format.
  • CVE-2019-11233allowing an attacker to access sensitive information without being authenticated. The exposed sensitive information includes emails, phone numbers, employee number, department info, etc.

Without being authenticated, an attacker can not only access to sensitive official documents with the exposed passwords, but also launch social engineering or APT campaigns with the exposed employee and organization information.

The vendor has released security updates after we reported the vulnerabilities to them. Thus, if you are using the mentioned official document editing system, please contact the vendor for patching ASAP.

CHT Security also recommend taking the following countermeasures:

  1. In the development process, make sure to perform privilege check before every function execution. Deny the access when the privilege is insufficient.
  2. Passwords shall be stored with salted hashing. That is, before storing passwords into database, the original password should be appended with a long random string(salt) then be hashed with multiple operations by secure hash algorithm (e.g. SHA-256).
  3. In recent years, the numbers and variations of malware are increasing, and the hacking techniques are changing with every minute. Enterprises can reduce the cybersecurity risks with systematic security testing by experienced security experts. It is recommended that enterprises should regularly conduct security tests, such as Source Code Security Analysis and Penetration Testing, to ensure the effectiveness of enterprise cybersecurity.