CHT Security Discovered Multiple CVEs in Well-known Email System
CHT Security Red Team discovered multiple vulnerabilities(CVE-2019-15071、CVE-2019-15072、CVE-2019-15073) in a well-known email system. The email system has Cross-Site Scripting (XSS) and Open Redirect vulnerabilities. More than 40 organizations including government, education and financial sector are affected. Th vulnerabilities are briefly described as follows:
CVE-2019-15071：An attacker can perform cross-site scripting attacks prior to authentication. This vulnerability exists in multiple versions of the email system. The vulnerable page is "/cgi-bin/go". This vulnerability is classified in A7-Cross-Site Scripting (XSS) of OWASP TOP 10 2017.
CVE-2019-15072：Attackers can perform cross-site scripting attacks against arbitrary parameters. This vulnerability exists in multiple versions of the messaging system. The vulnerable page is "/cgi-bin/portal". This vulnerability is also classified in A7-Cross-Site Scripting (XSS) of OWASP TOP 10 2017.
CVE-2019-15073：Attackers can perform unverified forwarding and redirection prior to verification. This vulnerability exists in multiple versions of the email system. The vulnerable page is "/cgi-bin/go". This vulnerability is classified in CWE-601: URL Redirection to Untrusted Site (Open Redirect).
Email system is one of the core systems of an enterprise. Once hacked, all mail which may include identification and organization information can be leaked. Enterprises often overlook the criticality of email system since they usually use package software or subscribe to services.
Per the experience of our penetration test team, vulnerabilities in web-based email systems are often found. The XSS and Open Redirect in this case are common vulnerabilities that enable hackers to launch phishing or identity theft. Once hackers can grasp the email contents and the key persons, they can launch precise attacks like Business Email Compromise (BEC). According to FBI’s report in 2018, BEC scams had brought more than $12 billion losses globally.
The vendor has released related patches after receiving our report. If your organization or enterprise is using the affected e-mail system, it is recommended to contact the vendor for patching and updating as soon as possible.
CHT Security also recommend the following measures:
- Enterprise: Contact the vendor to install the patch as soon as possible. In addition to regularly updating the system, it is recommended that administrators can configure two-factor authentication to enhance login security and require enough strength for user passwords.
- Email system vendor: Implement input validation in the applications. It is recommended to adopt Secure Software Development Life Cycle (SSDLC), provide secure coding training, and regularly conduct security tests, such as Source Code Security Analysis and Penetration Testing, to effectively ensure product security for the clients.