CVE-2023-29050
📋 TL;DR
This LDAP injection vulnerability in OX App Suite's optional LDAP contacts provider allows privileged users to inject malicious LDAP filter strings. This could enable unauthorized access to directory information outside intended boundaries and potentially cause denial of service through server overload. Only systems with the LDAP contacts provider enabled are affected.
💻 Affected Systems
- OX App Suite
📦 What is this software?
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
Ox App Suite by Open Xchange
⚠️ Risk & Real-World Impact
Worst Case
Privileged users could exfiltrate sensitive directory data, compromise confidentiality of LDAP information, and cause directory server denial of service through resource exhaustion.
Likely Case
Privileged users accessing unintended directory information and potentially causing performance degradation on the LDAP server.
If Mitigated
Limited impact with proper input validation and LDAP query encoding in place.
🎯 Exploit Status
Requires privileged user access. No publicly available exploits known, but technical details have been published.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.10.6-6248
Vendor Advisory: https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json
Restart Required: Yes
Instructions:
1. Update OX App Suite to version 7.10.6-6248 or later. 2. Apply the patch from the vendor advisory. 3. Restart the OX App Suite services.
🔧 Temporary Workarounds
Disable LDAP contacts provider
allTemporarily disable the vulnerable LDAP contacts provider component
# Edit OX App Suite configuration to disable LDAP contacts provider
# Consult OX App Suite documentation for specific configuration changes
🧯 If You Can't Patch
- Implement strict input validation for all LDAP filter parameters
- Apply network segmentation to isolate LDAP servers from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if LDAP contacts provider is enabled and OX App Suite version is below 7.10.6-6248Check Version:
# Check OX App Suite version via admin interface or configuration filesVerify Fix Applied:
Verify OX App Suite version is 7.10.6-6248 or later and check configuration for proper LDAP query encoding📡 Detection & Monitoring
Log Indicators:
- Unusual LDAP query patterns
- Excessive LDAP server load from OX App Suite
- Privileged user accessing unexpected directory paths
Network Indicators:
- Abnormal LDAP traffic volume from OX App Suite servers
- Unusual LDAP filter strings in network captures
SIEM Query:
Search for LDAP injection patterns in application logs and monitor for privilege escalation attempts🔗 References
- http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html
- http://seclists.org/fulldisclosure/2024/Jan/3
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf
- http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html
- http://seclists.org/fulldisclosure/2024/Jan/3
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf
