Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Proofpoint Protection Server contains multiple vulnerabilities
Informations
Name VU#790980 First vendor Publication 2011-05-02
Vendor VU-CERT Last vendor Modification 2011-05-02
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#790980

Proofpoint Protection Server contains multiple vulnerabilities

Overview

Proofpoint Protection Server contains multiple vulnerabilities including authentication bypass, insufficient authorization checks, command injection, SQL injection, and directory traversal.

I. Description

Clear Skies Security's advisory states:

"Enduser Authentication Bypass
User-level access to the Proofpoint mail filter web interface can be obtained as any available user without providing the user’s login credentials.

Path Traversal Allows Access to System Files
Arbitrary files on the Proofpoint appliance can be obtained by manipulating a flaw in the web interface.

Proofpoint SQL Injection
A publicly accessible function in the Proofpoint interface is vulnerable to SQL Injection.

Proofpoint Command Injection
A function in the Proofpoint web interface can be manipulated into executing any command on the server.

Proofpoint Forced Browsing / Insufficient Page Authorization
Some administrative modules are accessible without authenticating with the application."

II. Impact

An attacker may be able to bypass authentication to the web interface, run system commands, or download arbitrary files.

III. Solution

Apply an Update

The following patches should be applied to the relevant versions.

  • Patch 1044 for versions 5.5.3, 5.5.4, and 5.5.5
  • Patch 1045 for versions 6.0.2
  • Patch 1046 for versions 6.1.1 and 6.2.0

    Restrict Access
    Appropriate firewall rules should be implemented to restrict access to only legitimate users of the system.

    Vendor Information

    VendorStatusDate NotifiedDate Updated
    ProofpointAffected2011-03-022011-05-02

    References

    http://www.clearskies.net/documents/css-advisory-css1105-proofpoint.php
    https://support.proofpoint.com/article.cgi?article_id=338413

    Credit

    Thanks to Scott Miles of Clear Skies Security for reporting these vulnerabilities.

    This document was written by Jared Allar.

    Other Information

    Date Public:2011-05-02
    Date First Published:2011-05-02
    Date Last Updated:2011-05-02
    CERT Advisory: 
    CVE-ID(s): 
    NVD-ID(s): 
    US-CERT Technical Alerts: 
    Severity Metric:22.50
    Document Revision:14

    • Original Source

    Url : http://www.kb.cert.org/vuls/id/790980

    CWE : Common Weakness Enumeration

    % Id Name
    20 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
    20 % CWE-287 Improper Authentication
    20 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
    20 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)
    20 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

    CPE : Common Platform Enumeration

    TypeDescriptionCount
    Application 6

    Open Source Vulnerability Database (OSVDB)

    Id Description
    72170 Proofpoint Protection Server Unspecified Arbitrary Command Injection

    Proofpoint Protection Server fails to sanitize certain unspecified input before use before use, which allows for the injection and execution of arbitrary commands. No further details have been provided.
    72169 Proofpoint Protection Server Unspecified Admin Module Authentication Bypass

    Proofpoint Protection Server contains an unspecified flaw that may allow a remote attacker to gain unauthorized access to some administrative modules.
    72168 Proofpoint Protection Server Unspecified SQL Injection

    Proofpoint Protection Server contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to an unspecified script not properly sanitizing user-supplied input. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
    72167 Proofpoint Protection Server Unspecified Traversal Arbitrary File Access

    Proofpoint Protection Server contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to an unspecified script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via unspecified parameter. This directory traversal attack would allow the attacker to access arbitrary files.
    72166 Proofpoint Protection Server User Mail Filter Interface Authentication Bypass

    Proofpoint Protection Server contains a flaw related to the web interface failing to properly verify credentials before granting access to the mail filter interface, allowing a remote attacker to gain unauthorized access to a user's mail filter interface.