SSD Advisory – ZyXEL Enterprise Network Center and Vantage Centralized Network Management Multiple Vulnerabilities

Vulnerabilities Summary

The following advisory describes three (3) vulnerabilities found in ZyXEL Enterprise Network Center (version 1.3.218.61) and two (2) vulnerabilities found in ZyXEL Vantage Centralized Network Management (version 3.2)

The three vulnerabilities found in ZyXEL Enterprise Network Center (version 1.3.218.61) are:

  1. Directory traversal and Command injection vulnerabilities leading to Remote Command Execution
  2. ShowIcon” Servlet file Parameter Directory Traversal
  3. FileDownloadServlet Request URI Directory Traversal Read Code Execution

The two vulnerabilities found in ZyXEL Vantage Centralized Network Management (version 3.2) are:

  1. FileDownloadServlet Directory Traversal
  2. GUIDownloadServlet Request URI Directory Traversal

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
SSD reported the vulnerabilities to ZyXEL back in Jun 2016.
Vendor response: “Regarding the security vulnerabilities you reported for our Vantage CNM, we were informed by HQ that there will no further enhancements for the product, as we have a new product to replace it, called Cloud CNM. Further, the two provide almost equivalent features with exception to GUI and behavior.

Continue reading SSD Advisory – ZyXEL Enterprise Network Center and Vantage Centralized Network Management Multiple Vulnerabilities

SSD Advisory – dotCMS H2 Database Remote Code Execution

Vulnerabilities Summary
The following advisory describes an SQL Injection in dotCMS 3.6.0 H2 Database that allows attackers to Remote Code Execution.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
We contacted the vendor back in December 2016 and they responded with:
H2 is not a production DB for us. It is just for testing and trying out dotCMS. We do not support it in production or on public servers

Please note that since this vulnerability will not be fixed, default installations of dotCMS that don’t switch from H2 to some other database are vulnerable. In addition, the only warning found on the web site of dotCMS related to H2 is:
Important: H2DB should NOT be used for a production in environment.

Which doesn’t explain the lack of security due to dotCMS using an H2 database.

Continue reading SSD Advisory – dotCMS H2 Database Remote Code Execution

SSD Advisory – Icewarp, AfterLogic and MailEnable Code Injection

Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities in Icewarp, AfterLogic and MailEnable Webmails.

The three vulnerabilities found are:

  1. Afterlogic Webmail code injection
  2. Icewarp Webmail code injection
  3. MailEnable Webmail code injection

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Responses
AfterLogic
AfterLogic has released patch to address the vulnerability – we have no information on which version addresses this, we believe the latest version of AfterLogic includes patches for the vulnerability.

IceWarp
IceWarp has released patch to address the vulnerability – version 11.4.0.

MailEnable
We notified MailEnable of the vulnerabilities back in November 2015, repeated attempts to re-establish contact and get some answer on the status of the patches for these vulnerabilities went unanswered. At this time there is no solution or workaround for these vulnerabilities.

Continue reading SSD Advisory – Icewarp, AfterLogic and MailEnable Code Injection