SyncFusion: CVE-2023-26563/4/5

Josh Hawking

  • Ownage

Introduction

We discovered multiple high severity CVEs in Syncfusion's software and discuss the advantages and disadvantages of utilising third-party solutions in your software. This blog goes into detail about the issues themselves and the corresponding risks that they pose to businesses.
About Ruptura InfoSecurity​
Ruptura InfoSecurity are a fully accredited and trusted UK based cyber security provider. You can rest assured that our technical cyber security expertise and level of service is second to none.
Linkedin Twitter Globe-americas

SyncFusion's File Explorer

During one of our web application security assessments, we noticed some odd behaviours with one of the functionalities on the application. The exact component was a file explorer for files uploaded onto the application, allowing for storing them in specific directories, renaming files, the standard sort of features you’d expect from a file explorer. After a short look at the file explorer, we identified it was using Syncfusion’s file explorer component:

chrome_w91QlQnnSQ
chrome_cgbRt00crk

If you wanted to integrate these into your environment, Syncfusion provide a variety of different “file providers” in different languages/cloud environments:

chrome_aUNTdCn6jo

During our security assessment, we identified that they were using ASP.NET file provider and while not linked on the demo page of the component, their documentation goes into more depth about all of the different file providers available. Luckily for us, they were also open source, meaning it was pretty easy to track down what was running on our client’s production server:

chrome_SnRf57YWp8

CVE-2023-26563, CVE-2023-26564, CVE-2023-26565

The vulnerabilities we identified in the ASP.NET, Node and SQL server file providers aren’t particularly interesting from an exploitation view, consisting of arbitrary file reads, arbitrary file uploads and SQL injections, but do provide a substantial amount of impact for users of the file explorer. In the case of our client, we managed to access all the uploaded files consisting of a number of legal documents all of which were confidential in nature. In addition to this, as our client didn’t expect this to be vulnerable, this was deployed on another one of their web applications and as such, we were able to read data for a completely unrelated web application.

A full breakdown of the vulnerabilities is available here.

However, these CVEs are more indicative of the dangers of third party solutions, especially those which are advertised as simple drop-in services to make a fancy looking front end component functional. While third party solutions are easy to implement, depending on the company that produced them, they may not be as thoroughly assessed as your organisation’s security standards. Unfortunately, assessing every single line of code in a third party solution, library, framework, etc. is not a feasible approach for many software engineering companies and furthermore. 

What's The Solution Then?

While it’s not possible to read every single line of code within your third party libraries, take some time to review them yourself and ask the following questions:
  • Does the code look like it was well-designed and well-thoughtout?
  • Does this look maintained?
  • Is the organisation/individual behind the project reputable or well-known?
  • Does the organisation/individual respond to issues, pull requests, and questions for the project?
In our case, Syncfusion is fairly well known, happily advertising themselves as being trusted by the likes of IBM, SIEMENS, Intel, VISA, and Apple. However, if we look at the SyncfusionExamples GitHub organisation, we can see they’ve got nearly 4,000 repositories published and in the case of the ASP.NET file provider, there’s very little activity on the repository itself. While it’s unlikely every repository is intended for production use, with this many repositories, it’s unlikely that each repository has ongoing security reviews and patches. As for the code, it does not appear to be well-designed, with much of the code bundled into a single file nearly 2,500 lines long. Likewise, the SQL server provider has trivial SQL injections in it, something we so very rarely see considering the enormous amount of protections available for them.
 
Ultimately, software development is an incredibly difficult task and best shown by Scott Ambler’s triangle, getting the balance between scope, resources, and scheduling is not an easy feat. 
Scott Ambler's triangle showing the balance between scope, resources, and schedule.

Developing a high quality file explorer is also difficult, there’s a significant amount of logic and functionality to implement and the user expects an experience identical to the file explorer they’re used to. However, we can’t recommend Syncfusion’s current offering, especially as the fixes made by Syncfusion were ineffective and do not prevent any of the issues we informed them of.

As of right now, we recommend removing any of the affected components from your technology stack until Syncfusion can publish effective fixes.

Communication Timeline

  • 24/01/2023: Initial contact with Syncfusion with brief descriptions of the vulnerabilities.
  • 06/02/2023: No response, asked if there was any update available.
  • 08/02/2023: Syncfusion replied saying their team would review and verify the reported problems.
  • 27/02/2023: I replied with the assigned CVE numbers: CVE-2023-26563, CVE-2023-26564, CVE-2023-26565 and stated a disclosure time of 24th April 2023.
  • 20/03/2023: Syncfusion replied saying fixes had been made.
  • 03/04/2023: I replied stating the fixes were ineffective in preventing the patches and attached direct HTTP requests.
  • 03/04/2023: Syncfusion replied saying they’d once again review the issues and address it as soon as possible.
  • 12/06/2023: Blog post and GitHub repository published.

Ineffective patches:

  • https://github.com/SyncfusionExamples/ej2-aspcore-file-provider/commit/0d93d4f8db00a38011d30bbdc832f27bdf56e4d8
  • https://github.com/SyncfusionExamples/ej2-filemanager-node-filesystem/commit/b96d4ea24a76464f868ec67ee3f299ce0b913d50
  • https://github.com/SyncfusionExamples/sql-server-database-aspcore-file-provider/commit/5f690cdeefea0229f0b85dadad3c99324dfa30a2

Ruptura InfoSecurity are a UK based cyber security provider. Our services are provided entirely in-house and are fully accredited by industry standard qualifications and standards.

crest_white_cropped
CE_Plus
GCloud
CCS
cyberessentials_certification mark_BW