How secure are you? Avail free Pentesting now!

How to detect the vulnerability-CVE-2020-14723?

Posted on 3rd Sep, 2020 | By Bhavithra

A new zero-day vulnerability, CVE-2020-14723, was discovered by Cyber Security Works in Oracle Help Technologies related to the Web UIX component. CVE-2020-14723 has a base score of 5.8 and an exploitability score of 8.6 in the CVSSv2 vulnerability severity scale. This vulnerability was discovered in our research lab on January 11, 2020, and we found that it has affected geographic locations such as the United States, Ireland, Germany, Netherlands, and Brazil.

You can use the following script to detect this vulnerability -

Python 2.7+ Required
Multi os support

  1. Python pip install -r requirements.txt - Please install necessary modules
  2. Scanning IPs have to be added in a text file saved as IP.txt under the same script executing folder.
  3. Payloads.txt - The default text file has to be present in the same folder and if users want to check with other payload types for Firewall bypass they can add in this file as per need.
  4. Once both the txt are present, The script can be executed directly from the command line Python Oracle.py
  5. The script will send an HTTP request to the IPs present in the IP list file and examine the response for the presence of the vulnerability.
  6. Post the validation and completion of the script for the list of IPs provided, an excel file will be generated automatically with the output - Results.xls
  7. The Generated Excel Sheet will have the details of the vulnerable and not vulnerable hosts for the CVE-2020-14723.

 

Vulnerability Detection

CVE-2020-14723 was detected using an IAST tool to capture the Request, which showed that a simple payload reflects in Response.

Disclosure

The vulnerability was disclosed to Oracle in January 2020. The vendor responded and released a patch in June 2020 to mitigate this vulnerability.

Timeline

Date Description
Jan 11, 2020

Discovered in our research lab

Jan 12, 2020

Reported to Oracle

Jun 23, 2020 Oracle notified that the issue is addressed in the main code line and scheduled a future CPU - Critical Patch Update Releases.
Jul 14, 2020 The date of public disclosure
Jul 15, 2020 Published in NVD
Jul 20, 2020 Last modified on NVD

Incident Analysis

The CVE-2020-14723 allows an unauthenticated user to insert a malicious JavaScript on the help page. Whenever a user clicks on a Print page option, the script will be executed as part of the current user browser context.

Vendor Product Versions
Oracle Help Technologies 11.1.1.9.0, 12.2.1.3.0

Vulnerability Analysis

CVE-2020-14723 is a vulnerability in the Oracle Help Technologies product of Oracle Fusion Middleware (component: Web UIX). Supported versions that are affected are 11.1.1.9.0 and 12.2.1.3.0.

Proof of Concept

Product Oracle Web Content Management
Product Version 12.2.1.3.0
Privilege Any user who has access to the Help Page
Request Type GET
Vulnerable URL http://localhost/_ocsh/help/state?navSetId=help_for_translation_dc_template_editor_en_dcted_html_l10n_dcted_hlpbk&navId=0&locale=en844&destination=
Vulnerable Parameter locale

 

Steps to Reproduce:

Step 1: Click on the Help docs page in the Oracle Web content.

Step 2: Navigate to any of the help topics shown below and intercept using the proxy tool (Burp).

Step 3: Capturing the Request and a simple Payload reflects in the Response without sanitization.

Step 4: While triggering the Print page event, the payload gets stored and is assigned with the path URL. Whenever the user clicks the print page, the payload will be automatically executed in the user’s browser.

Mitigation

Oracle recommends that customers apply the Critical Patch Update July 2020 to the Oracle Database components of Oracle Fusion Middleware products. Click this link for the patch updates: https://www.oracle.com/security-alerts/cpujul2020.html

Impact

If this vulnerability is exploited successfully, it may result in the blocking of network protocols and may break application functionality. It may also result in unauthorized access to critical data, complete access to Oracle Help Technologies’ accessible data, unauthorized updates (insert or delete access to Oracle Help Technologies accessible data).

Recommendation

Based on the CSW team's recommendations, Oracle strongly advised its customers to remain on actively supported versions and apply critical security patches without delay.

Test your defense to know how secure you are… Signup for free pentesting service*

* A limited period offer