Multiple Vulnerabilities in m-privacy TightGate-Pro

Title

Multiple Vulnerabilities

Product

m-privacy TightGate-Pro

Vulnerable Version

see "Vulnerable Versions"

Fixed Version

See "Fixed Versions"

CVE Number

CVE-2023-47250, CVE-2023-47251

Impact

high

Homepage

https://www.m-privacy.de/en/tightgate-pro-safe-surfing/

Found

18.08.2023

By

Daniel Hirschberger (Office Bochum), Steven Kurka (Office Essen), Marco Schillinger (Office Nürnberg) | SEC Consult Vulnerability Lab

The TightGate-Pro solution offers a secure remote browser which does not run on your own devices but on a remote server which can be accessed by VNC. The goal is to prevent the host device of the user from being attacked. There are several vulnerabilities in the server which enables attackers to view the VNC sessions of other users, infect the VNC session with keyloggers and start internal phishing attacks. Additionally, a TightGate-Pro administrator can push malicious PDFs to the endpoint of the user. Furthermore, the update servers which are only reachable via an SSH-tunnel are severely outdated (2003).

Vendor description

"TightGate-Pro is a ReCoB system. ReCoBS stands for Remote-Controlled Browser System, literally translated 'remote-controlled web browser'. TightGate-Pro physically separates the web browser execution environment from the workstation. The system thus shields the internal network from the Internet and reliably and preventively prevents attacks via the web browser. TightGate-Pro is the strongest dedicated ReCoBS, because only physical outsourcing on a hardened system permanently withstands attacks. Local virtualisations, sandboxing systems or micro-virtualisations do not offer effective protection. TightGate-Pro is used in public authorities, financial institutions, industrial companies and critical infrastructures – in short, everywhere where “safe surfing on the Internet” is indispensable at the workplace and internal infrastructures must be reliably protected. TightGate-Pro is BSI-certified according to EAL3+."

Source: https://www.m-privacy.de/en/tightgate-pro-safe-surfing/

Business recommendation

The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Code Execution

Execution of single commands and scripts is possible with the privileges of the current user. Code execution is possible with any file type on the server and no specific permissions need to be set for the utilized file.

Vendor response (translated):
"It is intended behavior to execute arbitrary bash scripts. It is not possible to execute arbitrary programs and libraries. There is no privilege escalation possible with this vulnerability."

We can confirm that it was not possible to escalate privileges during our test.


2) Access to all Desktops (CVE-2023-47250)

Multiple users are connecting to the same TightGate-Pro server, resulting in one instance of the X11 window system. Due to insecure permissions of the X11 sockets it is possible for any user to open arbitrary windows on the desktop of other users for phishing attacks or installing a keylogger directly.

Vendor response (translated):
"We acknowledge this issue as a important vulnerability. A fix with full RSBAC-Jail-Separation and changed Linux-Filesystem permissions is currently available in the "Prestable" packages:

  • mprivacy-tools_2.0.406g
  • tightgatevnc_4.1.2~1
  • rsbac-policy-tgpro_2.0.159

These can be applied by the admin user "update". The updates will be provided automatically as Hotfix around 2023-10-24."


3) File Transfer by Abusing the Print function (CVE-2023-47251)

TightGate-Pro allows printing PDF documents on the host system. Documents are transferred to the host, printed and deleted afterwards. An attacker is able to control the path of the transferred file and to prevent the automatic deletion of the file.

Vendor response (translated):
"This is not a severe finding but we already fixed it. The fixes are available in the packages:

  • mprivacy-tools_2.0.406g
  • tightgatevnc_4.1.2~1

Now the .spool directly is always scanned for malicious data and the VNC- client does not transfer files which contain path symbols (e.g. ../)."


4) Outdated Update Server

Based on disclosed version numbers the update server is running outdated software with known vulnerabilities. The criticality of this issue depends on the exploitability of these issues.

Vendor response (translated):
"The old version of thttpd is already known. This is not seen as security-relevant. The access to the updateserver requires a previous registration of a customer-provided SSH key, which is only available to administrators on the TightGate-Pro instance. thttpd is isolated on the updateserver and can only *read* files. Even if an attacker can write malicious updatepackages, these are still secured by a cryptographic signature and would not be installed on TightGate-Pro instances. We will eventually replace thttpd with lighthttpd which is still supported."

Proof of concept

Context menu "Open with" dialog
Selecting "custom commandline"

1) Code Execution

Code execution is possible using the context menu of any file in the VNC session of TightGate-Pro. Selecting "Öffnen mit" (Open with) in the context menu of any file and  selecting the "Benutzerdefinierte Befehlszeile" (custom commandline) section of the menu allows to provide a custom shell command to be executed:

At this point there are two possible options:
In case the selected file is a bash script typing `/bin/bash` as custom command will execute the script. For this PoC the following script has been used:

#!bin/bash
echo poc >> /home/user/testuser/Desktop/test/PoC2.txt

In case any other file is selected a complete command can be used as well. A possible example is listed below:

/bin/bash -c "echo poc >> /home/user/testuser/Desktop/test/PoC2.txt"

According to vendor, arbitrary code execution is not possible as programs and libraries won't be executed.

Insecure permissions allow attackers with standard roles to access other desktops

2) Access to all Desktops (CVE-2023-47250)

A normal user without special permissions has read and write access to all X11 sockets stored in the temp folder of the user TightGate-Pro, visible in the following screenshot:

Attackers are able to open dialog boxes of other users.
Accessing entered data of the victim.

This allows any user for example to open dialogue boxes on the desktop of the currently connected users as shown in the following screenshots. The command used is listed below.

/bin/bash -c 'for i in $(ls /home/tmpdir/tmp510/.X11-unix | cut -b 2-); do
DISPLAY=unix:"$i".0 zenity --password --username & done;

As it can be seen in the second screenshot, any input to the dialogue boxes can be read by the attacker.

3) File Transfer by Abusing the Print function (CVE-2023-47251)

File transfers can be triggered for PDF files which are stored in the `/home/user/.spool/<username>` directory. By setting a relative path as file name, the file can be stored in any user directory on the host system.

In case the file name contains Unicode characters, deletion of the file is not executed after transfer and closing of the print prompt. To store a file on the user's desktop, the name `..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf` can be used. The transfer can then be triggered by sending the signal `SIGUSR2` to the `Xtightgatevnc` process:

cp eicar.pdf '/home/user/.spool/<username>/..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf'
pkill -u $USER --signal SIGUSR2 Xtightgatevnc
File transfer of malicious files.

In addition, this file transfer does not check if any malicious files are transferred to the host system. The following screenshot shows the warning of a malware scanner after an eicar testfile was transferred. It is therefore possible to circumvent the malware scanner of TightGate-Pro which only runs if the intended way of transfer, namely the TightGate-Schleuse, is used.

Outdated webserver

4) Outdated Update Server

Access to the update server is possible with the ssh key stored at `/etc/cu/id_ed25519` and ssh port forwarding. The ssh key is customized for each customer. Root access is needed to retrieve the key. The command used for the forwarding is listed below:

ssh -N -L 8000:localhost:85 tgpro13@update.m-privacy.de -i id_ed25519 -v

Afterwards access is possible at `http:127.0.0.1:8000`. The server headers return the version of the webserver:

thttpd/2.25b 29dec2003

This version has in sum four known vulnerabilities (high and medium) listed:

  • CVE-2006-1078
  • CVE-2006-1079
  • CVE-2007-0664
  • CVE-2009-4491

Vulnerable / tested versions

A TightGate-Pro server with the following package versions was used for testing:

  • tightgatevnc < 4.1.2~1
  • rsbac-policy-tgpro < 2.0.159
  • mprivacy-tools < 2.0.406g

Vendor contact timeline

2023-10-11 Contacting vendor through info@m-privacy.de via GPG
2023-10-13 CEO of m-privacy phones us and thanks us for the advisory, a developer will send us a written statement next week.
2023-10-16 Received a written statement of their lead developer; the vulnerabilities #2 (Access to all Desktops) and #3 (File Transfer by Abusing the Print function) are confirmed and a fix is available #1 is seen as a feature not a bug, #4 is claimed to be prevented by hardening measures on the server, also thttpd will be replaced by lighthttpd in the future.
2023-10-24 We ask for some clarifications regarding software versions and advisory publication date.
2023-10-29 Vendor provides software version information and asks us to publish the advisory after 2023-11-06.
2023-11-22 Public release of security advisory.

Solution

Install the "Prestable" packages or wait until they are available as hotfix:

  • mprivacy-tools_2.0.406g
  • tightgatevnc_4.1.2~1
  • rsbac-policy-tgpro_2.0.159

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

EOF Daniel Hirschberger, Steven Kurka, Marco Schillinger / @2023

 

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back