CVE-2014-0037: Security Advisory für Zarafa

Im Oktober 2013 habe ich bei der Zarafa Collaboration Platform (ZCP), einer Open-Source-Groupware-Suite, die volle Kollaboration bei E-Mail, Kalender, Kontakten und Aufgaben ermöglicht und als Alternative zu Microsoft Exchange verwendet werden kann, eine Schwachstelle entdeckt, welche sich aus der Ferne ausnutzen lässt. Diese Verwundbarkeit wurde von Zarafa (nach Bereitstellung eines Patches durch mich) im Januar 2014 behoben. Nachfolgend unser Security Advisory mit weiteren Details:

Remote Denial of Service flaw at Zarafa Collaboration Platform
ETES GmbH Security Advisory; January 31, 2014

BACKGROUND

Zarafa, often also referred as Zarafa Collaboration Platform (ZCP), is an Open Source groupware suite which enables full collaboration of e-mail, calendaring, contacts and tasks. ZCP is used and well-known as a drop-in Microsoft Exchange replacement (origin: Zarafa Netherlands).

DESCRIPTION

Zarafa contains a flaw that could allow remote unauthenticated attackers to crash a Zarafa installation, preventing access to any other legitimate user of Zarafa. Please note that the remote Denial of Service does not depend on the operating system used on the server nor can it be avoided or mitigated through any compile-time hardening flags or settings.

Once such an attack was successfully performed, the Zarafa server needs to be started again to provide access to legitimate Zarafa users - e.g. using "/usr/bin/zarafa-server -c /etc/zarafa/server.cfg".

ANALYSIS

There is NO exploitation which would allow unauthenticated remote attackers to gain root access. An affected Zarafa installation is left with a crashed zarafa-server daemon (segmentation fault) while all other Zarafa related daemons are still running. The zarafa-server process provides the MAPI in SOAP service required by all other Zarafa related components as shown here: http://doc.zarafa.com/7.1/Administrator_Manual/en-US/html/_architecture.html

Every Zarafa installation (default or non-default) is affected except any legitimate remote usage of Zarafa's MAPI in SOAP is disabled via firewall or the Zarafa server configuration. The MAPI in SOAP connectivity is e.g. used by all Microsoft Outlook clients when not using IMAP but MAPI via the Zarafa Client Connector also known as Zarafa Windows Client.

REPRODUCABILITY

The reproducability is intentionally not described (at least for now) to really avoid as much Zarafa crash attacks of affected Zarafa installations as possible.

WORKAROUND

If not implemented so far, a firewall could be set up to restrict network access to either only trusted networks or by using deep packet inspection. However any firewalling may negatively affect Zarafa multi-server setups or other usecases of Zarafa such as e.g. legitimate remote users.

As there is a Zarafa release available solving this problem, an update is highly recommented instead of any previously mentioned workaround.

AFFECTED VERSIONS

All versions before Zarafa 7.1.8 Beta 1 (42841).

FIXED VERSIONS

All versions after Zarafa 7.1.8 Beta 2 (43059).

CVE INFORMATION

The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2014-0037 was assigned on January 24, 2014. Currently, the following other identifications are known for this issue:

• CVE-2014-0037
• ZCP-11832
• RHBZ #1056767
• OSS-SEC 2014/Q1/199
• SecurityFocus BID-65280
• Secunia SA56709

DISCLOSURE TIMELINE

• 2013-10-16: Initial discovery and vendor notification
• 2013-10-16: Initial vendor response and acknowledgement
• 2013-10-17: Vendor communicated escalation to engineering
• 2013-10-18: Reporter proposed source code patch to vendor
• 2013-11-08: Vendor provides a fixed public beta/pre-release
• 2014-01-24: Red Hat Security Response Team assignes CVE name
• 2014-01-30: Vendor releases a fixed public final version
• 2014-01-31: Coordinated public disclosure

CREDIT

This vulnerability was discovered by Robert Scheck from ETES GmbH.

ETES would like to thank Vincent Danen of the Red Hat Security Response Team for his time and support.

LEGAL NOTICES

Copyright © 2013-2014 ETES GmbH, referenced text(s) belongs to its owner(s).

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.