CVE-2020-35205
📋 TL;DR
This Server-Side Request Forgery (SSRF) vulnerability in Quest Policy Authority's Web Compliance Manager allows attackers to scan internal network ports and make unauthorized outbound connections via the initFile.jsp file. It affects Quest Policy Authority version 8.1.2.200, but only impacts products that are no longer supported by the vendor.
💻 Affected Systems
- Quest Policy Authority for Unified Communications
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot from the vulnerable server to access internal systems, exfiltrate sensitive data, or launch attacks against internal services that would normally be protected by network segmentation.
Likely Case
Internal network reconnaissance leading to discovery of other vulnerable services, potential data leakage from internal systems, and abuse of the server as a proxy for malicious activities.
If Mitigated
Limited to port scanning capabilities with no data exfiltration if proper network segmentation and egress filtering are implemented.
🎯 Exploit Status
The vulnerability is well-documented in security advisories with technical details that could be easily weaponized. SSRF vulnerabilities are commonly exploited in real-world attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch is available since the product is no longer supported. Consider upgrading to a supported version or implementing workarounds.
🔧 Temporary Workarounds
Block access to initFile.jsp
allRestrict access to the vulnerable initFile.jsp file using web server configuration or firewall rules.
# Apache: RewriteRule ^/path/to/initFile\.jsp$ - [F]
# Nginx: location ~ /path/to/initFile\.jsp$ { deny all; }
# IIS: Add request filtering rule to block initFile.jsp
Network segmentation and egress filtering
allImplement strict network segmentation to limit the server's ability to reach internal systems and apply egress filtering to control outbound connections.
🧯 If You Can't Patch
- Deploy a Web Application Firewall (WAF) with SSRF protection rules
- Isolate the vulnerable server in a DMZ with restricted network access
🔍 How to Verify
Check if Vulnerable:
Check if the server responds to requests to /WebCompliance/initFile.jsp with SSRF payloads. Use curl: curl -v 'http://target/WebCompliance/initFile.jsp?file=http://internal-ip:port'Check Version:
Check application version through administrative interface or configuration files. The exact command varies by deployment.Verify Fix Applied:
Verify that requests to initFile.jsp with SSRF payloads are blocked or return appropriate error responses. Test with the same curl command used for vulnerability checking.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to initFile.jsp with external URLs or internal IP addresses in parameters
- Outbound connections from the server to unexpected internal systems
Network Indicators:
- Unusual outbound traffic patterns from the server, especially to internal IP ranges
- Port scanning activity originating from the server
SIEM Query:
source="web_server_logs" AND uri="*initFile.jsp*" AND (param="*http://*" OR param="*://10.*" OR param="*://192.168.*" OR param="*://172.16.*")🔗 References
- https://clandestinelabs.io/security-advisories/advisory-multiple-vulnerabilities-in-quest-policy-authority-for-unified-communications
- https://un4gi.io/blog/multiple-vulnerabilities-in-quest-policy-authority-for-unified-communications
- https://clandestinelabs.io/security-advisories/advisory-multiple-vulnerabilities-in-quest-policy-authority-for-unified-communications
- https://un4gi.io/blog/multiple-vulnerabilities-in-quest-policy-authority-for-unified-communications
