Robert Scheck | Security | CVE-2014-5447: Incorrect default permissions in Zarafa

CVE-2014-5447: Incorrect default permissions in Zarafa

Am 15. August 2014 habe ich entdeckt, dass die standardmäßigen Dateiberechtigungen der Konfigurationsdateien "/etc/zarafa/webaccess-ajax/config.php" (Zarafa WebAccess) und "/etc/zarafa/webapp/config.php" (Zarafa WebApp) nicht ausreichend restriktiv genug sind und dabei die zur Beseitigung von CVE-2014-0103 ergriffenen Maßnahmen wieder aufgehoben werden. Ein lokaler Angreifer kann damit den Schlüssel zur Entschlüsselung von symmetrisch verschlüsselten Passwörtern der Zarafa-Benutzer erlangen. Nachfolgend das Security Advisory in englischer Sprache:

Background

Zarafa is a leading European provider of open source groupware and collaboration software. The core product is the Zarafa Collaboration Platform (ZCP), an European open and compatible groupware platform that can be used as a drop-in Microsoft Exchange replacement for e-mail, calendaring, collaboration and tasks (origin: Zarafa company profile).

Description

For accessing e-mails, calendars, contacts and tasks of the groupware platform via the web, Zarafa provides the Zarafa WebAccess and the Zarafa WebApp as clients/frontends. The Zarafa WebApp is a fork and the successor of the Zarafa WebAccess. Both web clients/frontends have server-side configuration files which contain keys to encrypt user passwords before they are saved in on-disk PHP session files. This encryption was introduced to address CVE-2014-0103. But the default permissions of these configuration files are world-readable, thus a local attacker could decrypt the symmetric encrypted passwords from the on-disk PHP session files again.

CVSS v2 metrics

Base Score: 2.1
Base Metrics: AV:L/AC:L/Au:N/C:P/I:N/A:N
Access Vector: Local
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None

Analysis

There is no exploitation which would allow unauthenticated remote attackers to gain root access. However Zarafa supports different user backends, such as LDAP. If an attacker gains user credentials originating from an LDAP more wide access might be possible. Additionally the attacker is in any case and independent of the user backend able to use the gained user credentials to authenticate against Zarafa.

Reproducability

Even the following commands could be used to actively exploit and abuse this flaw they are only made public to analyze if the system in question is vulnerable or not.

robert@tux:~ > id
uid=1000(robert) gid=100(users) groups=100(users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
robert@tux:~ >

A system with Zarafa WebAccess is affected if the following command can be run as non-privileged system user without any permission error and the configuration file has world readable permissions.

robert@tux:~ > ls -la /etc/zarafa/webaccess-ajax/
total 20 drwxr-xr-x. 2 root root 4096 Sep 9 17:12 . drwxr-xr-x. 8 root root 4096 Sep 9 17:12 .. -rw-r--r--. 1 root root 9138 Sep 9 17:12 config.php
robert@tux:~ >

When using Zarafa WebApp rather Zarafa WebAccess the following command can be used. The system is affected if the last configuration file has world readable permissions.

robert@tux:~ > ls -la /etc/zarafa/webapp/
total 60 drwxr-xr-x. 2 root root 4096 Sep 9 17:12 . drwxr-xr-x. 8 root root 4096 Sep 9 17:12 .. -rw-r--r--. 1 root root 75 Sep 3 10:55 config-browsercompatibility.php -rw-r--r--. 1 root root 68 Sep 3 10:56 config-example.php -rw-r--r--. 1 root root 61 Sep 3 10:56 config-extbox.php -rw-r--r--. 1 root root 63 Sep 3 10:56 config-feedback.php -rw-r--r--. 1 root root 60 Sep 3 10:56 config-pdfbox.php -rw-r--r--. 1 root root 302 Sep 3 10:56 config-statslogging.php -rw-r--r--. 1 root root 225 Sep 3 10:56 config-webappmanual.php -rw-r--r--. 1 root root 66 Sep 3 10:57 config-webodf.php -rw-r--r--. 1 root root 500 Sep 3 10:57 config-xmpp.php -rw-r--r--. 1 root root 68 Sep 3 10:57 config-zdeveloper.php -rw-r--r--. 1 root root 70 Sep 3 10:57 config-zperformance.php -rw-r--r--. 1 root root 6754 Aug 27 22:46 config.php
robert@tux:~ >

Workaround

Until a fixed version of the Zarafa WebAccess is available (or for a system where a possible future update can not be applied for different reasons) the following commands can be used to correct the wrong permissions.

tux:~ # chown -R --reference=/var/lib/zarafa-webaccess/tmp/ /etc/zarafa/webaccess-ajax/
tux:~ # chown -R root /etc/zarafa/webaccess-ajax/
tux:~ # chmod 750 /etc/zarafa/webaccess-ajax/
tux:~ # chmod 640 /etc/zarafa/webaccess-ajax/*
tux:~ #

When using Zarafa WebApp rather Zarafa WebAccess the following commands can be used to correct the wrong permissions.

tux:~ # chown -R --reference=/var/lib/zarafa-webapp/tmp/ /etc/zarafa/webapp/
tux:~ # chown -R root /etc/zarafa/webapp/
tux:~ # chmod 750 /etc/zarafa/webapp/
tux:~ # chmod 640 /etc/zarafa/webapp/*
tux:~ #

Both command sections above are however only treated as a workaround because a possible non-fixed intermediate update of Zarafa WebAccess or Zarafa WebApp might revert these manually corrected permissions again.

Affected versions

Zarafa WebAccess 7.1.10 Beta 1 (44846), released 2014-05-12
Zarafa WebAccess 7.1.10 RC 1 (44973), released 2014-05-26
Zarafa WebAccess 7.1.10 Final (44973), released 2014-06-03
Zarafa WebAccess 7.1.11 Beta 1 (45653), released 2014-08-07
Zarafa WebAccess 7.1.11 Final (45875), released 2014-08-26
Zarafa WebAccess 7.1.11 Final R1 (46050), released 2014-09-05
Zarafa WebAccess 7.1.12 Beta 1 (47484), released 2015-01-16

Zarafa WebApp 1.6 Beta 1 (45198), released 2014-06-17
Zarafa WebApp 1.6 Beta 2 (45312), released 2014-07-01
Zarafa WebApp 1.6 Final (45357), released 2014-07-21
Zarafa WebApp 1.6.1 Final (46039), released 2014-09-02

Zarafa WebApp 2.0 Beta 1 (46301)
Zarafa WebApp 2.0 Beta 2 (46339), released 2014-09-30
Zarafa WebApp 2.0 Beta 3 (46848), released 2014-11-20
Zarafa WebApp 2.0 Beta (47004), released 2014-12-05
Zarafa WebApp 2.0 Beta (47017), released 2014-12-08
Zarafa WebApp 2.0 RC 1 (47260), released 2014-12-24
Zarafa WebApp 2.0 Final (47678), released 2015-01-27
Zarafa WebApp 2.0.1 Final (47791), released 2015-02-06
Zarafa WebApp 2.0.2 Final (47834), released 2015-02-09

Fixed versions

Zarafa WebAccess 7.1.12 Beta 2 (48455), released 2015-03-20
Zarafa WebAccess 7.1.12 Final (48726), released 2015-04-07
Zarafa WebAccess 7.1.12 Final R1 (49411), released 2015-05-08

Zarafa WebAccess 7.2.0 Beta 1 (46984), released 2014-12-05
Zarafa WebAccess 7.2.0 Beta 1 (47004), released 2014-12-05
Zarafa WebAccess 7.2.0 Beta 2 (47829), released 2015-02-09
Zarafa WebAccess 7.2.0 Final (48204), released 2015-03-05

Zarafa WebApp 2.0 Final (47486), released 2015-01-15
Zarafa WebApp 2.0.2 Final (48619), released 2015-04-02

CVE information

The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2014-5447 was assigned on August 25, 2014. Currently, the following other identifications are known for this issue:

Disclosure timeline

2014-08-15: Initial vulnerability discovery
2014-08-24: Coordinated public disclosure
2014-08-25: Initial vendor notification, response and acknowledgement
2014-08-25: MITRE CVE assignment team assignes CVE name
2014-12-05: Vendor provides a fixed public beta/pre-release
2015-03-05: Vendor releases a fixed public final version

Credit

This vulnerability was discovered, analyzed and reported by Robert Scheck.

Legal notices

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an as is condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.