CVE-2014-5447: Infoleak
First published: Mon Aug 25 2014(Updated: )
Robert Scheck reported a number of issues with the default permissions in Zarafa[1]: "" 1. In order to fix <a href="https://access.redhat.com/security/cve/CVE-2014-0103">CVE-2014-0103</a>, Zarafa introduced constants PASSWORD_KEY and PASSWORD_IV in /etc/zarafa/webaccess-ajax/config.php (Zarafa WebAccess) and /etc/zarafa/webapp/config.php (Zarafa WebApp), both are the upstream path names of a default installation, downstream names might be different. Both files have default permissions of root:root and 644, thus decryption of the symmetric encrypted passwords in the on-disk PHP session files is possible again (similar like initially described in <a href="https://access.redhat.com/security/cve/CVE-2014-0103">CVE-2014-0103</a>). Affects Zarafa WebAccess >= 7.1.10, Zarafa WebApp >= 1.6 beta. 2. The log directory /var/log/zarafa/ is shipped by default with root:root and 755 and all created log files by the Zarafa daemons have by default root:root and 644. This is leaking (depending on the log level of the given service) only e.g. subject, sender/recipient, message-id, SMTP queue id of in- and outbound e-mails but might be even a cleartext protocol dump of IMAP, POP3, CalDAV and iCal as well (including possible credentials) to any local system user. Affects Zarafa >= 5.00. 3. The directories /var/lib/zarafa-webaccess/tmp/ (Zarafa WebAccess) and /var/lib/zarafa-webapp/tmp/ (Zarafa WebApp) are read- and writable by the Apache system user by default - but also world readable for local system users (e.g. apache:apache and 755 on RHEL). Thus all the temporary session data such as uploaded e-mail attachments can be read-only accessed because all created files below previously mentioned directories have permissions 644, too. Upstream path names changed over the time and releases. Affects Zarafa WebAccess >= 4.1, Zarafa WebApp (any version). 4. The optional (but proprietary) license daemon /usr/bin/zarafa-licensed runs by default with root permissions, the subscription/license key is put into '/etc/zarafa/license/*'. The license files are recommented (according upstream documentation) to be created using echo(1) which usually leads to root:root and 644. But the parent directory /etc/zarafa/license/ is shipped by default with root:root and 755. As result the key files can be accessed and copied by any local system user. Affects Zarafa >= 4.1. "" [1] <a href="http://seclists.org/oss-sec/2014/q3/444">http://seclists.org/oss-sec/2014/q3/444</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zarafa WebApp | =1.6 | |
| Zarafa Zarafa | =7.1.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://advisories.mageia.org/MGASA-2014-0380.html
- http://seclists.org/oss-sec/2014/q3/444
- http://seclists.org/oss-sec/2014/q3/445
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:182
- http://www.securityfocus.com/bid/69362
- https://access.redhat.com/security/cve/CVE-2014-0103
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1133441
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1133442
- https://access.redhat.com/security/cve/CVE-2014-5447
- https://access.redhat.com/security/cve/CVE-2014-5448
- https://access.redhat.com/security/cve/CVE-2014-5449
- https://access.redhat.com/security/cve/CVE-2014-5450
- https://bugzilla.redhat.com/show_bug.cgi?id=1133439
- collector/redhat-bugzilla
- alias/CVE-2014-5447
- collector/nvd-index
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/type
- agent/description
- agent/tags
- agent/event
- vendor/zarafa
- canonical/zarafa webapp
- version/zarafa webapp/1.6
- canonical/zarafa zarafa
- version/zarafa zarafa/7.1.10