CHT Security Discovered a Pre-Auth SQL Injection in Well-known Email System
CHT Security Red Team discovered a Pre-Auth SQL Injection vulnerability (CVE-2020-3922) in a well-known email system. More than 20 organizations including government, education and financial sectors are affected. The vulnerabilities are briefly described as follows:
CVE-2020-3922: It allows remote attackers to execute arbitrary SQL commands via bkimage parameter without authentication. Remote attackers can gain unauthorized data like user's account and password for login into webmail. When accessing a victim's account, remote attackers can modify the password. Remote attackers also can write arbitrary files like webshell on target system. It compromised the confidentiality, integrity and availability of data and system. This vulnerability is classified in A1-Injection of OWASP TOP 10 2017.
Email system is one of the core systems of an enterprise. Once hacked, emails which may contain personal data and organization information can be leaked. Enterprises often overlook the criticality of email system since they usually use package software or subscribe to services.
Known Affected Software
- versions before 2017
The vendor has released related patches after receiving our report. If your organization or enterprise is using the affected e-mail system, it is recommended to contact the vendor for patching and updating as soon as possible.
CHT Security also recommend the following measures:
- Enterprise: Contact the vendor to install the patch as soon as possible. In addition to regularly updating the system, it is recommended that administrators can configure two-factor authentication to enhance login security and require enough strength for user passwords.
- Email system vendor: Add salt to hashing instead of storing passwords in plain text. Implement input validation in the applications. It is recommended to adopt Secure Software Development Life Cycle (SSDLC), provide secure coding training, and regularly conduct security tests, such as Source Code Security Analysis and Penetration Testing, to effectively ensure product security for the clients.