- Improper Access Control
- Denial of Service
- GlobalScape
- GlobalScape EFT version 7.4.11.34
The GlobalScape EFT web service is vulnerable to an unauthenticated denial of service and IP spoofing issue. The denial of service is triggered by a request to the Cloud Admin Health Check page when the cloud component has not been configured. Repeated exploitation of the denial of service issue can result in the service becoming disabled until it is manually restarted by a system administrator. The audit log IP spoofing issue is due to the application trusting the X-Forwarded-For HTTP header of inbound requests when storing database records for the audit log. The flat file logs record are not affected by the IP spoofing issue.
GlobalScape recommends upgrading to the latest version to address these issues. In addition, the denial of service issue can be mitigated by blocking access to the URL "/Cloud/CloudAdminHealthCheck.htm" while the IP spoofing issue can be avoided by stripping the X-Forwarded-For header from inbound requests.
This vulnerability was found by HD Moore of Atredis Partners.
- https://kb.globalscape.com/Knowledgebase/11465/XFF-and-DoS-Security-Vulnerability?Keywords=XFF
- CERT VU#937059: https://www.kb.cert.org/vuls/id/937059/
- CVE-2019-12602: IP Spoofing
- CVE-2019-12603: NULL Pointer Dereference
- 2019-02-26: Atredis Partners sent vulnerability details to GlobalScape
- 2019-02-26: GlobalScape confirms receipt of the advisory
- 2019-03-11: GlobalScape releases 7.4.13 to address these issues
- 2019-05-23: Atredis Partners provided a copy of the advisory to CERT/CC
- 2019-07-10: Atredis Partners published the advisory
The GlobalScape EFT web interface exposes a Cloud Admin Health Check page at the URL "/Cloud/CloudAdminHealthCheck.htm". If the cloud feature is not used and an unauthenticated attacker requests this URL, the application process crashes with an access violation. Repeated exploitation of this issue can result in the service being disabled. This issue has been assigned CVE-2019-12603.
Application: cftpstes.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: exception code c0000005, exception address 011FFEF0
The GlobalScape EFT web interface mishandles the "X-Forwarded-For" HTTP header, allowing an attacker to specify arbitrary values, which will be treated as the remote address of the request. This allows for the IP address in various event logs to be spoofed and may allow an attacker to bypass IP-based access control in the application. This issue has been assigned CVE-2019-12602.
This issue can be triggered through a curl request containing the "X-Forwarded-For" header.
$ curl -H "X-Forwarded-For: spoofed" https://eft.example.lan/