Zarafa Collaboration Platform <= 7.1.7 remote crash

2014.02.01

Credit: Michael Kromer

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2014-0037

CWE: CWE-20

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: None

Integrity impact: None

Availability impact: Partial

CVE-2014-0037

Affected product: Zarafa Collaboration Platform <= 7.1.7

Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

A flaw in Zarafa has been discovered that allows a remote unauthenticated attacker to crash the zarafa-server daemon 
with a segmentation fault, preventing access to any other legitimate Zarafa users. This flaw has been fixed beginning 
with the release of Zarafa 7.1.8 beta2 ( http://download.zarafa.com/community/beta/7.1/7.1.8beta2-43059/ ). We 
encourage any users of Zarafa to update to this new version or apply the patch supplied below.

Zarafa would like to thank Robert Scheck from ETES (http://www.etes.de) for discovering and reporting this issue.

Index: provider/libserver/ECSession.cpp
===================================================================
diff -u -N -r41872 -r42919
--- provider/libserver/ECSession.cpp    (.../ECSession.cpp)     (revision 41872)
+++ provider/libserver/ECSession.cpp    (.../ECSession.cpp)     (revision 42919)
@@ -846,6 +846,13 @@
 {
        ECRESULT er = erSuccess;
        
+       if (!lpszName)
+       {
+               // Commandment 2: Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end.
+               m_lpSessionManager->GetLogger()->Log(EC_LOGLEVEL_FATAL, "Invalid argument lpszName in call to 
ECAuthSession::ValidateUserLogon()");
+               er = ZARAFA_E_INVALID_PARAMETER;
+               goto exit;
+       }
        // SYSTEM can't login with user/pass
        if(stricmp(lpszName, ZARAFA_ACCOUNT_SYSTEM) == 0) {
                er = ZARAFA_E_NO_ACCESS;
@@ -888,6 +895,12 @@
        char                    *localAdminUsers = NULL;
 #endif
 
+       if (!lpszName)
+       {
+               m_lpSessionManager->GetLogger()->Log(EC_LOGLEVEL_FATAL, "Invalid argument lpszName in call to 
ECAuthSession::ValidateUserSocket()");
+               er = ZARAFA_E_INVALID_PARAMETER;
+               goto exit;
+       }
        p = m_lpSessionManager->GetConfig()->GetSetting("allow_local_users");
        if (p && !stricmp(p, "yes")) {
                allowLocalUsers = true;


--
Mit freundlichen Gren,
Best regards,
Met vriendelijke groet,
Sinc&#232;rement,
Cordiali saluti,
Atentamente,

Michael Kromer
VP Products & Architecture

[T] +49 179 9300840
[E] m.kromer () zarafa com
------------------------------------------------- 
Zarafa: Open - Compatible - Enterprise

References:

http://seclists.org/oss-sec/2014/q1/199

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Zarafa Collaboration Platform <= 7.1.7 remote crash

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.