CVE-2014-5450: Incorrect default permission in Zarafa

Am 15. August 2014 habe ich entdeckt, dass die standardmäßige Verzeichnisberechtigung von "/etc/zarafa/license/" (Zarafa Collaboration Platform) nicht ausreichend restriktiv genug ist. Damit kann ein lokaler Angreifer lesend auf die Dateien mit den Lizenzschlüsseln zugreifen bzw. diese kopieren. Diese Lizenzschlüssel werden für den Betrieb von Zarafa mit den proprietären Erweiterungen benötigt. Zudem werden standardmäßig die im Verzeichnis enthaltenen einzelnen Dateien ebenfalls mit nicht ausreichend restriktiven Dateiberechtigungen erzeugt. Nachfolgend das Security Advisory in englischer Sprache:

Background

Zarafa is a leading European provider of open source groupware and collaboration software. The core product is the Zarafa Collaboration Platform (ZCP), an European open and compatible groupware platform that can be used as a drop-in Microsoft Exchange replacement for e-mail, calendaring, collaboration and tasks (origin: Zarafa company profile).

Description

Even the Zarafa Collaboration Platform is an open source groupware and collaboration software there are multiple proprietary extensions. These proprietary Zarafa extensions are only available after buying a Zarafa license key for an amount of users to be used in conjunction with the zarafa-licensed daemon/service. A typical proprietary Zarafa extension is a Microsoft Outlook client when not using IMAP but MAPI via the Zarafa Outlook Client, also known as Zarafa Windows Client, Zarafa Outlook Plugin or Zarafa Client Connector. But the default permission of the license directory is world-readable, thus a local attacker could gain a copy of the Zarafa license key(s).

CVSS v2 metrics

Analysis

There is no exploitation which would allow unauthenticated remote attackers to gain root access. However if an attacker gains one or multiple Zarafa license keys it is possible to run a further instance of the Zarafa Collaboration Platform including the same proprietary extensions up to the same amount of licensed users without paying for a Zarafa subscription.

Reproducability

Even the following commands could be used to actively exploit and abuse this flaw they are only made public to analyze if the system in question is vulnerable or not.

robert@tux:~ > id
uid=1000(robert) gid=100(users) groups=100(users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
robert@tux:~ >

A system with the Zarafa Collaboration Platform is affected if the following command can be run as non-privileged system user without any permission error and the license directory itself has world readable permissions.

robert@tux:~ > ls -la /etc/zarafa/license/
total 24
drwxr-xr-x 2 root root 4096 Sep 3 10:07 .
drwxr-xr-x 8 root root 4096 Sep 9 18:04 ..
-rw-r--r-- 1 root root 26 Jul 18 2013 base
-rw-r--r-- 1 root root 18 Jan 24 2014 cal1
-rw-r--r-- 1 root root 18 Mar 19 16:34 cal2
-rw-r--r-- 1 root root 18 Aug 1 08:56 cal3

robert@tux:~ >

Workaround

Until a fixed version of the Zarafa Collaboration Platform is available (or for a system where a possible future update can not be applied for different reasons) the following command can be used to correct the wrong permission.

tux:~ # chmod 750 /etc/zarafa/license/
tux:~ #

The command above is however only treated as a workaround because a possible non-fixed intermediate update of the Zarafa Collaboration Platform might revert this manually corrected permission again.

Affected versions

Fixed versions

CVE information

The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2014-5450 was assigned on August 25, 2014. Currently, the following other identifications are known for this issue:

Disclosure timeline

Credit

This vulnerability was discovered, analyzed and reported by Robert Scheck.

Legal notices

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an as is condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.