Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20140213023337.GA11142@hurricane.linuxnetz.de>
Date: Thu, 13 Feb 2014 03:33:37 +0100
From: Robert Scheck <robert@...oraproject.org>
To: Open Source Security Mailing List <oss-security@...ts.openwall.com>
Cc: Red Hat Security Response Team <secalert@...hat.com>
Subject: CVE-2014-0079: Unauthenticated remote denial of service flaw in
 Zarafa

Hello,

I discovered a flaw (CVE-2014-0079) in Zarafa that allows a remote
unauthenticated attacker to crash the zarafa-server daemon with a
segmentation fault, preventing access to any other legitimate Zarafa
users.

This flaw is not to be confused with CVE-2014-0037 from 2014-01-31.

Affected product: Zarafa Collaboration Platform <= 7.1.8

Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

The interesting thing is that the official RPM/DEB packages provided
by Zarafa are not affected, however all community/self-build binaries
seem to be affected (such as shipped e.g. in Fedora and Fedora EPEL).

As I don't know the build environment at Zarafa, I tried to do binary
analysis with the following results: Binaries built by Zarafa contain
the objects GLIBC_2.3.4 and GLIBCXX_3.4.11 while Fedora EPEL binaries
have the objects GLIBC_2.4 and GLIBCXX_3.4.11 (this example is based
on RHEL/CentOS 6).

This leads me to the conclusion that at least GLIBC < 2.4 is used in
Zarafa's build environment. However I unfortunately can not exclude
that Zarafa also uses different build-time flags having some impact,
too. Finally all Zarafa binary packages in Fedora and Fedora EPEL are
affected where RHEL/CentOS 5 (with the oldest software) ships GLIBC
2.5 and Fedora Rawhide ships GLIBC 2.18.90 (currently as the latest).

As Zarafa has not released any update so far, downstreams should use
the following patch (which has been proposed to upstream already):

--- snip ---
--- zarafa-7.1.8/provider/libserver/ECSession.cpp        2014-01-21 15:38:53.000000000 +0100
+++ zarafa-7.1.8/provider/libserver/ECSession.cpp.rdos   2014-01-29 01:26:49.000000000 +0100
@@ -865,10 +865,10 @@
 {
 	ECRESULT er = erSuccess;
 
-    if (!lpszName)
+    if (!lpszName || !lpszPassword)
     {
         // Commandment 2: Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end.
-		m_lpSessionManager->GetLogger()->Log(EC_LOGLEVEL_FATAL, "Invalid argument lpszName in call to ECAuthSession::ValidateUserLogon()");
+		m_lpSessionManager->GetLogger()->Log(EC_LOGLEVEL_FATAL, "Invalid argument %s in call to ECAuthSession::ValidateUserLogon()", (!lpszName) ? "lpszName" : "lpszPassword");
 		er = ZARAFA_E_INVALID_PARAMETER;
 		goto exit;
     }
--- snap ---

See also: https://bugzilla.redhat.com/show_bug.cgi?id=1059903 - thanks
to the Red Hat Security Response Team, specifically to Vincent Danen.

I finally would like to thank my employer, the ETES GmbH (www.etes.de),
who allowed me to spend time to research this issue and thus to provide
a patch to upstream.


With kind regards

Robert Scheck
-- 
Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.