I discovered a flaw (CVE-2014-0079) in Zarafa that allows a remote
unauthenticated attacker to crash the zarafa-server daemon with a
segmentation fault, preventing access to any other legitimate Zarafa
users.
This flaw is not to be confused with CVE-2014-0037 from 2014-01-31.
Affected product: Zarafa Collaboration Platform <= 7.1.8
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
The interesting thing is that the official RPM/DEB packages provided
by Zarafa are not affected, however all community/self-build binaries
seem to be affected (such as shipped e.g. in Fedora and Fedora EPEL).
As I don't know the build environment at Zarafa, I tried to do binary
analysis with the following results: Binaries built by Zarafa contain
the objects GLIBC_2.3.4 and GLIBCXX_3.4.11 while Fedora EPEL binaries
have the objects GLIBC_2.4 and GLIBCXX_3.4.11 (this example is based
on RHEL/CentOS 6).
This leads me to the conclusion that at least GLIBC < 2.4 is used in
Zarafa's build environment. However I unfortunately can not exclude
that Zarafa also uses different build-time flags having some impact,
too. Finally all Zarafa binary packages in Fedora and Fedora EPEL are
affected where RHEL/CentOS 5 (with the oldest software) ships GLIBC
2.5 and Fedora Rawhide ships GLIBC 2.18.90 (currently as the latest).
As Zarafa has not released any update so far, downstreams should use
the following patch (which has been proposed to upstream already):
--- snip ---
--- zarafa-7.1.8/provider/libserver/ECSession.cpp 2014-01-21 15:38:53.000000000 +0100
+++ zarafa-7.1.8/provider/libserver/ECSession.cpp.rdos 2014-01-29 01:26:49.000000000 +0100
@@ -865,10 +865,10 @@
{
ECRESULT er = erSuccess;
- if (!lpszName)
+ if (!lpszName || !lpszPassword)
{
// Commandment 2: Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end.
- m_lpSessionManager->GetLogger()->Log(EC_LOGLEVEL_FATAL, "Invalid argument lpszName in call to
ECAuthSession::ValidateUserLogon()");
+ m_lpSessionManager->GetLogger()->Log(EC_LOGLEVEL_FATAL, "Invalid argument %s in call to
ECAuthSession::ValidateUserLogon()", (!lpszName) ? "lpszName" : "lpszPassword");
er = ZARAFA_E_INVALID_PARAMETER;
goto exit;
}
--- snap ---
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1059903 - thanks
to the Red Hat Security Response Team, specifically to Vincent Danen.
I finally would like to thank my employer, the ETES GmbH (www.etes.de),
who allowed me to spend time to research this issue and thus to provide
a patch to upstream.
With kind regards
Robert Scheck
--
Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager