RSC-SA-2014-0009: Vulnerable SWFUpload in Zarafa
Am 7. September 2014 habe ich entdeckt, dass die standardmäßig vom Zarafa WebAccess mitgelieferte Drittsoftware "SWFUpload", welche eine Flash-Datei namens "swfupload.swf" enthält, die zum einfachen Hochladen von Dateien für E-Mail-Anhänge per "Drag and Drop" vom Desktop in den Browser verwendet wird, für die bereits bekannten Schwachstellen CVE-2012-3414 und CVE-2013-2205 verwundbar ist. Nachfolgend das Security Advisory in englischer Sprache:
Background
Zarafa is a leading European provider of open source groupware and collaboration software. The core product is the Zarafa Collaboration Platform (ZCP), an European open and compatible groupware platform that can be used as a drop-in Microsoft Exchange replacement for e-mail, calendaring, collaboration and tasks (origin: Zarafa company profile).
Description
For accessing e-mails, calendars, contacts and tasks of the groupware platform via the web, Zarafa provides the Zarafa WebAccess as client/frontend. To allow Zarafa users a more easy upload of e-mail attachments using drag and drop from the desktop to the browser an Adobe Flash based third party multi-upload feature was added. But this third party Adobe Flash file is meanwhile known to be vulnerable for multiple XSS flaws.
Analysis
There is no exploitation which would allow unauthenticated remote attackers to gain root access. However, these XSS vulnerabilities in "SWFUpload" may enable attackers to inject client-side scripts into the Zarafa WebAccess to e.g. bypass access controls such as the same origin policy which could lead to information leaks or further attacks might be possible.
Reproducability
Even the following commands could be used to actively exploit and abuse this flaw they are only made public to analyze if the system in question is vulnerable or not. The system is affected if the following command proofs the existence of the file /usr/share/zarafa-webaccess/client/widgets/swfupload/swfupload.swf:
tux:~ # ls -l /usr/share/zarafa-webaccess/client/widgets/swfupload/
total 80
-rw-r--r--. 1 root root 1621 Sep 3 09:56 swfupload.cookies.js
-rw-r--r--. 1 root root 38709 Sep 3 09:56 swfupload.js
-rw-r--r--. 1 root root 3382 Sep 3 09:56 swfupload.queue.js
-rw-r--r--. 1 root root 12787 Sep 3 09:56 swfupload.swf
-rw-r--r--. 1 root root 13738 Sep 3 09:56 swfupload.swfobject.js
tux:~ #
Alternatively the command md5sum can be used to calculate a checksum which can be verified using e.g. the blog article Vulnerable SWF Bundled in 40 Wordpress Plugins if the file is affected or not:
tux:~ # md5sum /usr/share/zarafa-webaccess/client/widgets/swfupload/swfupload.swf
3a1c6cc728dddc258091a601f28a9c12 /usr/share/zarafa-webaccess/client/widgets/swfupload/swfupload.swf
tux:~ #
Workaround
Until a fixed version of the Zarafa WebAccess is available (or for a system where a possible future update can not be applied for different reasons) the following command can be used to replace the vulnerable SWFUpload by the secure SWFUpload fork maintained by WordPress:
tux:~ # wget -q https://github.com/WordPress/secure-swfupload/raw/master/core/Flash/swfupload.swf -O /usr/share/zarafa-webaccess/client/widgets/swfupload/swfupload.swf
tux:~ #
Alternatively the vulnerable SWFUpload can be completely removed using the following commands.
tux:~ # sed -e 's@\(define("ENABLE_MULTI_UPLOAD",\) .*@// Do NOT change, hotfix from RSC-SA-2014-0009 applied\n\t\1 false);@' -i /etc/zarafa/webaccess-ajax/config.php
tux:~ # rm -rf /usr/share/zarafa-webaccess/client/widgets/swfupload/
tux:~ #
Both command sections above are however only treated as a workaround because a possible non-fixed intermediate update of Zarafa WebAccess might reintroduce the vulnerability again.
Solution
As there are fixed releases of the Zarafa WebAccess available, an update is highly recommented over any workaround.
Affected versions
- Zarafa WebAccess 6.40.4 Beta 1 (23477), released 2010-11-11
- Zarafa WebAccess 6.40.4 Beta 2 (23895), released 2010-11-19
- Zarafa WebAccess 6.40.4 Beta 3 (24031), released 2010-11-26
- Zarafa WebAccess 6.40.4 Beta 4 (24179), released 2010-12-07
- Zarafa WebAccess 6.40.4 Final (24200), released 2010-12-03
- Zarafa WebAccess 6.40.4 Final (24121), released 2010-12-10
- Zarafa WebAccess 6.40.5 Beta 1 (24479), released 2010-12-28
- Zarafa WebAccess 6.40.5 Beta 2 (24764), released 2011-01-14
- Zarafa WebAccess 6.40.5 Final (24860), released 2011-01-25
- Zarafa WebAccess 6.40.6 Beta 1, released 2011-02-08
- Zarafa WebAccess 6.40.6 Beta 2, released 2011-02-28
- Zarafa WebAccess 6.40.6 Final (25584), released 2011-03-10
- Zarafa WebAccess 6.40.7 Beta 1, released 2011-03-23
- Zarafa WebAccess 6.40.7 Final (26119), released 2011-03-29
- Zarafa WebAccess 6.40.8 Beta 1, released 2011-05-06
- Zarafa WebAccess 6.40.8 Final (27223), released 2011-05-20
- Zarafa WebAccess 6.40.9 Beta 1 (27453), released 2011-06-06
- Zarafa WebAccess 6.40.9 Final (27553), released 2011-06-08
- Zarafa WebAccess 6.40.10 Beta 1, released 2011-07-11
- Zarafa WebAccess 6.40.10 Final (28214), released 2011-07-21
- Zarafa WebAccess 6.40.11 Beta 1 (28776), released 2011-08-19
- Zarafa WebAccess 6.40.11 Final (289659, released 2011-08-31
- Zarafa WebAccess 6.40.12 Beta 1 (29729), released 2011-10-10
- Zarafa WebAccess 6.40.12 Final (29942), released 2011-10-20
- Zarafa WebAccess 6.40.13 Beta 1 (30596), released 2011-11-21
- Zarafa WebAccess 6.40.13 Beta 2 (30778), released 2011-12-01
- Zarafa WebAccess 6.40.13 Final (30778), released 2011-12-08
- Zarafa WebAccess 6.40.14 Beta 1 (31462), released 2012-01-06
- Zarafa WebAccess 6.40.14 Final (31537), released 2012-01-19
- Zarafa WebAccess 6.40.15 Beta 1 (33246), released 2012-03-29
- Zarafa WebAccess 6.40.15 Final (33766), released 2012-04-12
- Zarafa WebAccess 6.40.16 Final (34239), released 2012-05-04
- Zarafa WebAccess 6.40.17 Beta 1 (35609), released 2012-07-05
- Zarafa WebAccess 6.40.17 Final (35943), released 2012-07-19
- Zarafa WebAccess 7.0.0 TP (23713), released 2010-11-05
- Zarafa WebAccess 7.0.0 Alpha 1 (23713), released 2010-11-05
- Zarafa WebAccess 7.0.0 Beta 1 (24488), released 2010-12-30
- Zarafa WebAccess 7.0.0 Beta 2 (24874), released 2011-01-21
- Zarafa WebAccess 7.0.0 Beta 3 (25734), released 2011-03-08
- Zarafa WebAccess 7.0.0 RC 1 (26667), released 2011-04-21
- Zarafa WebAccess 7.0.0 RC 2 (27588), released 2011-06-10
- Zarafa WebAccess 7.0.0 Final (27791), released 2011-06-27
- Zarafa WebAccess 7.0.1 Beta 1 (28354), released 2011-07-26
- Zarafa WebAccess 7.0.1 Beta 2 (28479), released 2011-08-04
- Zarafa WebAccess 7.0.1 Final (28479), released 2011-08-12
- Zarafa WebAccess 7.0.2 Beta 1 (29238), released 2011-09-15
- Zarafa WebAccess 7.0.2 Final (29470), released 2011-09-29
- Zarafa WebAccess 7.0.3 Beta 1 (30283), released 2011-11-03
- Zarafa WebAccess 7.0.3 Beta 2 (30383), released 2011-11-11
- Zarafa WebAccess 7.0.3 Final (30515), released 2011-11-17
- Zarafa WebAccess 7.0.4 Beta 1 (31042), released 2011-12-09
- Zarafa WebAccess 7.0.4 Beta 2 (31131), released 2011-12-15
- Zarafa WebAccess 7.0.4 Final (31235), released 2011-12-22
- Zarafa WebAccess 7.0.5 Beta 1 (31699), released 2012-01-20
- Zarafa WebAccess 7.0.5 Final (31880), released 2012-02-02
- Zarafa WebAccess 7.0.6 Beta 1 (32585), released 2012-03-02
- Zarafa WebAccess 7.0.6 Final (32752), released 2012-03-15
- Zarafa WebAccess 7.0.7 Beta 1 (33784), released 2012-04-13
- Zarafa WebAccess 7.0.7 Beta 2 (34052), released 2012-04-26
- Zarafa WebAccess 7.0.7 Final (34256), released 2012-05-04
- Zarafa WebAccess 7.0.8 Beta 1 (35040), released 2012-06-08
- Zarafa WebAccess 7.0.8 Final (35178), released 2012-06-19
- Zarafa WebAccess 7.0.9 Beta 1 (36013), released 2012-07-19
- Zarafa WebAccess 7.0.9 Beta 2 (36190), released 2012-07-26
- Zarafa WebAccess 7.0.9 Beta 3 (36358), released 2012-08-03
- Zarafa WebAccess 7.0.9 Final (36358), released 2012-08-10
- Zarafa WebAccess 7.0.10 Beta 1 (37262), released 2012-09-20
- Zarafa WebAccess 7.0.10 Final (37482), released 2012-10-04
- Zarafa WebAccess 7.0.11 Beta 1 (38406), released 2012-11-16
- Zarafa WebAccess 7.0.11 Beta 2 (38914), released 2012-11-30
- Zarafa WebAccess 7.0.11 Final (39120), released 2012-12-08
- Zarafa WebAccess 7.0.12 Beta 1 (39988), released 2013-01-10
- Zarafa WebAccess 7.0.12 Final (40336), released 2013-01-24
- Zarafa WebAccess 7.0.13 Final (41388), released 2013-03-01
- Zarafa WebAccess 7.0.14 Beta 1 (41924), released 2013-05-23
- Zarafa WebAccess 7.0.14 Final (42060), released 2013-07-01
- Zarafa WebAccess 7.0.15 Beta 1 (42582), released 2013-09-03
- Zarafa WebAccess 7.0.15 Beta 2 (42658), released 2013-09-13
- Zarafa WebAccess 7.0.15 Final (42709), released 2013-09-20
- Zarafa WebAccess 7.1.0 Beta 1 (33926), released 2012-04-19
- Zarafa WebAccess 7.1.0 Beta 2 (34517), released 2012-05-11
- Zarafa WebAccess 7.1.0 Beta 3 (34833), released 2012-06-01
- Zarafa WebAccess 7.1.0 RC 1 (35476), released 2012-06-29
- Zarafa WebAccess 7.1.0 RC 2 (36025), released 2012-07-19
- Zarafa WebAccess 7.1.0 RC 3 (36420), released 2012-08-09
- Zarafa WebAccess 7.1.0 Final (36420), released 2012-08-23
- Zarafa WebAccess 7.1.1 Beta 1 (37267), released 2012-09-20
- Zarafa WebAccess 7.1.1 Beta 2 (37519), released 2012-10-04
- Zarafa WebAccess 7.1.1 Final (37812), released 2012-10-19
- Zarafa WebAccess 7.1.2 Beta 1 (38366), released 2012-11-15
- Zarafa WebAccess 7.1.2 Beta 2 (38915), released 2012-11-30
- Zarafa WebAccess 7.1.2 Final (39121), released 2012-12-08
- Zarafa WebAccess 7.1.3 Beta 1 (39980), released 2013-01-10
- Zarafa WebAccess 7.1.3 Final (40304), released 2013-01-24
- Zarafa WebAccess 7.1.4 Final (41394), released 2013-03-01
- Zarafa WebAccess 7.1.5 Beta 1 (41923), released 2013-05-23
- Zarafa WebAccess 7.1.5 Final (42059), released 2013-07-01
- Zarafa WebAccess 7.1.6 Beta 1 (42574), released 2013-09-03
- Zarafa WebAccess 7.1.6 Beta 2 (42668), released 2013-09-13
- Zarafa WebAccess 7.1.6 Final (42710), released 2013-09-20
- Zarafa WebAccess 7.1.7 Final (42779), released 2013-10-03
- Zarafa WebAccess 7.1.8 Beta 1 (42841), released 2013-10-10
- Zarafa WebAccess 7.1.8 Beta 2 (43059), released 2013-11-08
- Zarafa WebAccess 7.1.8 Beta 3 (43454), released 2013-12-20
- Zarafa WebAccess 7.1.8 RC 1 (43691), released 2014-01-23
- Zarafa WebAccess 7.1.8 Final (43801), released 2014-01-30
- Zarafa WebAccess 7.1.8 Final R1 (44004), released 2014-02-20
- Zarafa WebAccess 7.1.9 Beta 1 (44152), released 2014-03-12
- Zarafa WebAccess 7.1.9 RC 1 (44268), released 2014-03-24
- Zarafa WebAccess 7.1.9 Final (44333), released 2014-03-31
- Zarafa WebAccess 7.1.10 Beta 1 (44846), released 2014-05-12
- Zarafa WebAccess 7.1.10 RC 1 (44973), released 2014-05-26
- Zarafa WebAccess 7.1.10 Final (44973), released 2014-06-03
- Zarafa WebAccess 7.1.11 Beta 1 (45653), released 2014-08-07
- Zarafa WebAccess 7.1.11 Final (45875), released 2014-08-26
- Zarafa WebAccess 7.1.11 Final R1 (46050), released 2014-09-05
Fixed versions
- Zarafa WebAccess 7.1.12 Beta 1 (47484), released 2015-01-16
- Zarafa WebAccess 7.1.12 Beta 2 (48455), released 2015-03-20
- Zarafa WebAccess 7.1.12 Final (48726), released 2015-04-07
- Zarafa WebAccess 7.1.12 Final R1 (49411), released 2015-05-08
- Zarafa WebAccess 7.2.0 Beta 1 (46984), released 2014-12-05
- Zarafa WebAccess 7.2.0 Beta 1 (47004), released 2014-12-05
- Zarafa WebAccess 7.2.0 Beta 2 (47829), released 2015-02-09
- Zarafa WebAccess 7.2.0 Final (48204), released 2015-03-05
CVE information
The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2012-3414 was assigned on July 16, 2012. The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2013-2205 was assigned on February 19, 2013. Currently, the following other identifications are known for this issue:
Disclosure timeline
- 2012-07-16: MITRE CVE assignment team assignes CVE name
- 2013-02-19: MITRE CVE assignment team assignes CVE name
- 2014-09-07: Initial vulnerability verification for Zarafa WebAccess
- 2014-09-08: Initial vendor notification, response and acknowledgement
- 2014-10-14: Vendor communicated an unknown timeframe
- 2014-10-24: Coordinated public disclosure
- 2014-12-05: Vendor provides a fixed public beta/pre-release
- 2015-03-05: Vendor releases a fixed public final version
Credit
Zarafa being affected by this known vulnerability was discovered, analyzed and reported by Robert Scheck.
The vulnerability itself was discovered, analyzed and reported by Nathan Partlan, Neal Poole and Szymon Gruszecki.
Legal notices
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an as is condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.