Swascan Offensive Security Team has identified Information Disclosure vulnerabilities on the digital assets of MicroFocus Filr Appliance 3.0 (build 4670).
The vulnerability was identified during a Penetration Test activity on a customer that exposes the Filr application. Having the administrator credentials available we were able to view, in one of the responses, the LDAP configuration password in clear text. The Technical summary chapter describes all the steps to reproduce this vulnerability.
The patch, released on May 19, 2023, is available. Update your appliance with this most recent release.
Micro Focus (OpenText)
Micro Focus is a global software and IT services company that provides solutions for enterprise applications, hybrid IT management, security, risk management, and analytics. With a diverse portfolio of software products and consulting services, Micro Focus assists organizations in modernizing their IT systems and optimizing business processes. The company serves various industries and has a global presence, helping businesses worldwide with their software and technology needs.
Product description
Filr offers file access and sharing from any device. Users get what they want, and you stay in control of files and security.
Technical summary
Swascan’s Cyber Security Team found an important vulnerability on: MicroFocus Filr Appliance 3.0 build 4670
| Vulnerability | CVSSv3.1 Base Score | CVSSv3.1 Base Vector |
| LDAP Credential Disclosure | 7.2 High | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
In the following section the technical details about this vulnerability, including evidence and a proof-of-concept.
Exposed LDAP Credential
Description
The web application exposes in clear text, to a user with elevated privileges, the administrator credentials for synchronizing the users present in the Active Directory via LDAP.
A potential attacker having these credentials available could try to access the Domain Controller with maximum privileges and conduct subsequent attacks such as: exfiltration of sensitive data, and deployment of ransomware with subsequent ransom request.
Proof of Concept
After logging in with administrative credentials you have the possibility to access the administration console and view the configuration of the web app including the LDAP configuration as shown below:
Evidence 1 Admin console page
Evidence 2 LDAP configuration page.
As you can see, the password is obfuscated but by intercepting the requests and responses that the application performs, including a POST request to the gwtTeaming.rpc component where the clear credentials can be viewed in the response as shown below:
Evidence 3 Post HTTP Request to component gwtTeaming.rpc
Evidence 4 HTTP response with plaintext password.
Remediation
The patch, released on May 19, 2023, is available. Update your appliance with this most recent release.
Disclosure Timeline
- 30/01/2023: Vulnerabilities discovered
- 01/03/2023: Vendor contacted by email
- 07/03/2023: Vendor reported the vulnerability to internal team
- 19/04/2023: Vendor confirmed the vulnerability management is started fixed
- 19/05/2023: Vendor release fixes.
- 28/06/2023: Security Advisory publication
- 06/12/2023: CVE issued CVE-2023-32268
Sources and references
- https://www.microfocus.com/it-it/home
- https://www.microfocus.com/it-it/products/filr/overview
- NVD – CVE-2023-32268 (nist.gov)
Final consideration
Swascan would like to thank MicroFocus for their collaboration in managing the disclosure, for their commitment to ensuring maximum resilience of products and solutions, and for great professionalism demonstrated during all phases of the process.
