Ausdruck von www.etes.de am 04.12.2016
CVE-2014-0037: Security Advisory für Zarafa
Gepostet am 31. Januar 2014 von Robert Scheck in „Know-How“ Kommentare 0
Im Oktober 2013 habe ich bei der Zarafa Collaboration Platform (ZCP), einer Open-Source-Groupware-Suite, die volle Kollaboration bei E-Mail, Kalender, Kontakten und Aufgaben ermöglicht und als Alternative zu Microsoft Exchange verwendet werden kann, eine Schwachstelle entdeckt, welche sich aus der Ferne ausnutzen lässt. Diese Verwundbarkeit wurde von Zarafa (nach Bereitstellung eines Patches durch mich) im Januar 2014 behoben. Nachfolgend unser Security Advisory mit weiteren Details:
Remote Denial of Service flaw at Zarafa Collaboration Platform
ETES GmbH Security Advisory; January 31, 2014
Zarafa, often also referred as Zarafa Collaboration Platform (ZCP), is an Open Source groupware suite which enables full collaboration of e-mail, calendaring, contacts and tasks. ZCP is used and well-known as a drop-in Microsoft Exchange replacement (origin: Zarafa Netherlands).
Zarafa contains a flaw that could allow remote unauthenticated attackers to crash a Zarafa installation, preventing access to any other legitimate user of Zarafa. Please note that the remote Denial of Service does not depend on the operating system used on the server nor can it be avoided or mitigated through any compile-time hardening flags or settings.
Once such an attack was successfully performed, the Zarafa server needs to be started again to provide access to legitimate Zarafa users - e.g. using "/usr/bin/zarafa-server -c /etc/zarafa/server.cfg".
There is NO exploitation which would allow unauthenticated remote attackers to gain root access. An affected Zarafa installation is left with a crashed zarafa-server daemon (segmentation fault) while all other Zarafa related daemons are still running. The zarafa-server process provides the MAPI in SOAP service required by all other Zarafa related components as shown here: http://doc.zarafa.com/7.1/Administrator_Manual/en-US/html/_architecture.html
Every Zarafa installation (default or non-default) is affected except any legitimate remote usage of Zarafa's MAPI in SOAP is disabled via firewall or the Zarafa server configuration. The MAPI in SOAP connectivity is e.g. used by all Microsoft Outlook clients when not using IMAP but MAPI via the Zarafa Client Connector also known as Zarafa Windows Client.
The reproducability is intentionally not described (at least for now) to really avoid as much Zarafa crash attacks of affected Zarafa installations as possible.
If not implemented so far, a firewall could be set up to restrict network access to either only trusted networks or by using deep packet inspection. However any firewalling may negatively affect Zarafa multi-server setups or other usecases of Zarafa such as e.g. legitimate remote users.
As there is a Zarafa release available solving this problem, an update is highly recommented instead of any previously mentioned workaround.
All versions before Zarafa 7.1.8 Beta 1 (42841).
All versions after Zarafa 7.1.8 Beta 2 (43059).
The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2014-0037 was assigned on January 24, 2014. Currently, the following other identifications are known for this issue:
- 2013-10-16: Initial discovery and vendor notification
- 2013-10-16: Initial vendor response and acknowledgement
- 2013-10-17: Vendor communicated escalation to engineering
- 2013-10-18: Reporter proposed source code patch to vendor
- 2013-11-08: Vendor provides a fixed public beta/pre-release
- 2014-01-24: Red Hat Security Response Team assignes CVE name
- 2014-01-30: Vendor releases a fixed public final version
- 2014-01-31: Coordinated public disclosure
This vulnerability was discovered by Robert Scheck from ETES GmbH.
ETES would like to thank Vincent Danen of the Red Hat Security Response Team for his time and support.
Copyright © 2013-2014 ETES GmbH, referenced text(s) belongs to its owner(s).
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.