oss-sec mailing list archives
CVE-2014-0079: Unauthenticated remote denial of service flaw in Zarafa
From: Robert Scheck <robert () fedoraproject org>
Date: Thu, 13 Feb 2014 03:33:37 +0100
Hello, I discovered a flaw (CVE-2014-0079) in Zarafa that allows a remote unauthenticated attacker to crash the zarafa-server daemon with a segmentation fault, preventing access to any other legitimate Zarafa users. This flaw is not to be confused with CVE-2014-0037 from 2014-01-31. Affected product: Zarafa Collaboration Platform <= 7.1.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete The interesting thing is that the official RPM/DEB packages provided by Zarafa are not affected, however all community/self-build binaries seem to be affected (such as shipped e.g. in Fedora and Fedora EPEL). As I don't know the build environment at Zarafa, I tried to do binary analysis with the following results: Binaries built by Zarafa contain the objects GLIBC_2.3.4 and GLIBCXX_3.4.11 while Fedora EPEL binaries have the objects GLIBC_2.4 and GLIBCXX_3.4.11 (this example is based on RHEL/CentOS 6). This leads me to the conclusion that at least GLIBC < 2.4 is used in Zarafa's build environment. However I unfortunately can not exclude that Zarafa also uses different build-time flags having some impact, too. Finally all Zarafa binary packages in Fedora and Fedora EPEL are affected where RHEL/CentOS 5 (with the oldest software) ships GLIBC 2.5 and Fedora Rawhide ships GLIBC 2.18.90 (currently as the latest). As Zarafa has not released any update so far, downstreams should use the following patch (which has been proposed to upstream already): --- snip --- --- zarafa-7.1.8/provider/libserver/ECSession.cpp 2014-01-21 15:38:53.000000000 +0100 +++ zarafa-7.1.8/provider/libserver/ECSession.cpp.rdos 2014-01-29 01:26:49.000000000 +0100 @@ -865,10 +865,10 @@ { ECRESULT er = erSuccess; - if (!lpszName) + if (!lpszName || !lpszPassword) { // Commandment 2: Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end. - m_lpSessionManager->GetLogger()->Log(EC_LOGLEVEL_FATAL, "Invalid argument lpszName in call to ECAuthSession::ValidateUserLogon()"); + m_lpSessionManager->GetLogger()->Log(EC_LOGLEVEL_FATAL, "Invalid argument %s in call to ECAuthSession::ValidateUserLogon()", (!lpszName) ? "lpszName" : "lpszPassword"); er = ZARAFA_E_INVALID_PARAMETER; goto exit; } --- snap --- See also: https://bugzilla.redhat.com/show_bug.cgi?id=1059903 - thanks to the Red Hat Security Response Team, specifically to Vincent Danen. I finally would like to thank my employer, the ETES GmbH (www.etes.de), who allowed me to spend time to research this issue and thus to provide a patch to upstream. With kind regards Robert Scheck -- Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager
Attachment:
_bin
Description:
Current thread:
- CVE-2014-0079: Unauthenticated remote denial of service flaw in Zarafa Robert Scheck (Feb 12)