Robert Scheck

• Homepage
• Linux
• Internet
• Security
  • Advisories
  • Suchen
• IRC-Chat
• Tools
• FTP
• Kontakt
• Links

RSC-SA-2014-0008: Vulnerable YUI charts in Zarafa

Am 27. August 2014 habe ich entdeckt, dass die standardmäßig von der Zarafa WebApp im Rahmen von Ext JS mitgelieferte Drittsoftware "YUI charts", welche eine Flash-Datei namens "charts.swf" umfasst, für die bereits bekannten Schwachstelle CVE-2010-4207 oder CVE-2012-5881 (je nach Version) verwundbar ist - auch wenn die Flash-Datei nicht von der Zarafa WebApp verwendet wird. Nachfolgend das Security Advisory in englischer Sprache:

Background

Zarafa is a leading European provider of open source groupware and collaboration software. The core product is the Zarafa Collaboration Platform (ZCP), an European open and compatible groupware platform that can be used as a drop-in Microsoft Exchange replacement for e-mail, calendaring, collaboration and tasks (origin: Zarafa company profile).

Description

For accessing e-mails, calendars, contacts and tasks of the groupware platform via the web, Zarafa provides the Zarafa WebAccess and the Zarafa WebApp as clients/frontends. The Zarafa WebApp is a fork and the successor of the Zarafa WebAccess. The browser/client side of the Zarafa WebApp is technically based on the JavaScript application framework Ext JS by Sencha Inc. which includes and uses the The Yahoo! User Interface Library (short: YUI) including an Adobe Flash based file charts.swf. This third party Adobe Flash file is meanwhile known to be vulnerable for multiple XSS flaws even it is just delivered and not actively used by the Zarafa WebApp.

Analysis

There is no exploitation which would allow unauthenticated remote attackers to gain root access. However, these XSS vulnerabilities in YUI charts may enable attackers to inject client-side scripts into the Zarafa WebApp to e.g. bypass access controls such as the same origin policy which could lead to information leaks or further attacks might be possible.

Reproducability

Even the following commands could be used to actively exploit and abuse this flaw they are only made public to analyze if the system in question is vulnerable or not. A system with e.g. Zarafa WebApp 1.4 (or older) is affected if the following command proofs the existence of the file /usr/share/zarafa-webapp/client/extjs/resources/charts.swf:

tux:~ # ls -l /usr/share/zarafa-webapp/client/extjs/resources/
total 96
-rw-r--r--. 1 root root 81768 Sep 28 2013 charts.swf
drwxr-xr-x. 2 root root 4096 Nov 5 2013 css
-rw-r--r--. 1 root root 4823 Sep 28 2013 expressinstall.swf
drwxr-xr-x. 3 root root 4096 Sep 28 2013 images
tux:~ #

Alternatively the command md5sum can be used to calculate a checksum which can be verified using YUI's Security Bulletin: Addressing a Vulnerability in YUI 2.4.0 through YUI 2.9.0 if the file is affected or not:

tux:~ # md5sum /usr/share/zarafa-webapp/client/extjs/resources/charts.swf
59c6e2c9ae7de87f11dd3db3336de8b6 /usr/share/zarafa-webapp/client/extjs/resources/charts.swf
tux:~ #

A system with e.g. Zarafa WebApp 1.5 is affected if the following command proofs the existence of the file /usr/share/zarafa-webapp/client/extjs/resources/charts.swf:

tux:~ # ls -l /usr/share/zarafa-webapp/client/extjs/resources/
total 100
-rw-r--r-- 1 root root 81653 Jan 30 2014 charts.swf
drwxr-xr-x 2 root root 4096 Feb 7 2014 css
-rw-r--r-- 1 root root 4823 Jan 30 2014 expressinstall.swf
drwxr-xr-x 3 root root 4096 Jan 30 2014 images
tux:~ #

Alternatively the command md5sum can be used to calculate a checksum which can be verified using YUI's Security Bulletin: Addressing a Vulnerability in YUI 2.4.0 through YUI 2.9.0 if the file is affected or not:

tux:~ # md5sum /usr/share/zarafa-webapp/client/extjs/resources/charts.swf
923c8afe50fc45ed42d92d6ab83b11f6 /usr/share/zarafa-webapp/client/extjs/resources/charts.swf
tux:~ #

Workaround

Until a fixed version of the Zarafa WebApp is available (or for a system where a possible future update can not be applied for different reasons) the following command can be used to remove the vulnerable YUI charts.swf library:

tux:~ # rm -f /usr/share/zarafa-webapp/client/extjs/resources/charts.swf
tux:~ #

The command above is however only treated as a workaround because a possible non-fixed intermediate update of Zarafa WebApp might reintroduce the vulnerability again.

Solution

As there are fixed releases of the Zarafa WebApp available, an update is highly recommented over any workaround.

Affected versions

• Zarafa WebApp 1.0 TP (27895), released 2011-06-28
• Zarafa WebApp 1.0 TP, released 2011-07-28
• Zarafa WebApp 1.0 TP, released 2011-09-06
• Zarafa WebApp 1.0 TP, released 2011-12-20
• Zarafa WebApp 1.0 Final (33778), released 2012-04-12
• Zarafa WebApp 1.1 Final (35292), released 2012-06-20
• Zarafa WebApp 1.2 TP (36382), released 2012-08-07
• Zarafa WebApp 1.2 Final (37787), released 2012-10-26
• Zarafa WebApp 1.2.1 Final (37967), released 2012-10-26
• Zarafa WebApp 1.2.2 Final (39122), released 2012-12-07
• Zarafa WebApp 1.3 Final (41013), released 2013-02-12
• Zarafa WebApp 1.3.1 Final (41348), released 2013-02-22
• Zarafa WebApp 1.3.2 Final (42118), released 2013-09-19
• Zarafa WebApp 1.4 Alpha (42030), released 2013-06-20
• Zarafa WebApp 1.4 Beta (42591), released 2013-09-06
• Zarafa WebApp 1.4 Final (42633), released 2013-10-03
• Zarafa WebApp 1.5 Beta (43468), released 2013-12-20
• Zarafa WebApp 1.5 Final (43477), released 2014-01-22

Fixed versions

• Zarafa WebApp 1.6 Beta 1 (45198), released 2014-06-17
• Zarafa WebApp 1.6 Beta 2 (45312), released 2014-07-01
• Zarafa WebApp 1.6 Final (45357), released 2014-07-21
• Zarafa WebApp 1.6.1 Final (46039), released 2014-09-02

CVE information

The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2010-4207 was assigned on November 7, 2010. The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2012-5881 was assigned on November 16, 2012. Currently, the following other identifications are known for this issue:

• MITRE CVE-2010-4207
• MITRE CVE-2012-5881
• RSC-SA-2014-0008
• OSS-SEC 2014/Q3/462

Disclosure timeline

• 2010-11-07: MITRE CVE assignment team assignes CVE name
• 2012-11-16: MITRE CVE assignment team assignes CVE name
• 2014-06-17: Vendor provides a fixed public beta/pre-release
• 2014-07-21: Vendor releases a fixed public final version
• 2014-08-27: Initial vulnerability verification for Zarafa WebApp
• 2014-08-28: Initial vendor notification, response and acknowledgement
• 2014-08-28: Coordinated public disclosure

Credit

Zarafa being affected by this known vulnerability was discovered, analyzed and reported by Robert Scheck.

The vulnerability itself was discovered, analyzed and reported by the YUI Team.

Legal notices

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an as is condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.