CVE-2014-9465: Remote disk space exhaustion in Zarafa

Am 5. September 2014 habe ich entdeckt, dass ein entfernter Angreifer ohne vorhergehende Authentifikation beim Zarafa WebAccess und der Zarafa WebApp das temporäre Verzeichnis "/tmp/" über HTTP(S) befüllen kann. Je nach Lage des Verzeichnisses auf dem Dateisystem kann damit die gesamte Festplatte des Servers befüllt werden - was die Verfügbarkeit der restlichen Dienste auf dem Server einschränken kann. Nachfolgend das Security Advisory in englischer Sprache:

Background

Zarafa is a leading European provider of open source groupware and collaboration software. The core product is the Zarafa Collaboration Platform (ZCP), an European open and compatible groupware platform that can be used as a drop-in Microsoft Exchange replacement for e-mail, calendaring, collaboration and tasks (origin: Zarafa company profile).

Description

For accessing e-mails, calendars, contacts and tasks of the groupware platform via the web, Zarafa provides the Zarafa WebAccess and the Zarafa WebApp as clients/frontends. The Zarafa WebApp is a fork and the successor of the Zarafa WebAccess. Both web clients/frontends provide a PHP script that could allow remote unauthenticated attackers to upload files via HTTP(S) to exhaust the disk space of /tmp/ of the server offering the Zarafa WebAccess or Zarafa WebApp. This flaw thus allows a so-called unauthenticated remote denial of service.

CVSS v2 metrics

Analysis

There is no exploitation which would allow unauthenticated remote attackers to gain root access. However, depending on the server setup, /tmp/ might be a part of / (the root filesystem) such as e.g. on RHEL or CentOS. If the disk space on the root filesystem is exhausted this usually impacts all services (including services that are not affiliated with Zarafa) running on the server negatively. Given the default upload size of Zarafa WebAccess and Zarafa WebApp are 30 MB and the network bandwidth of the server offering the Zarafa WebAccess or Zarafa WebApp has relevance as well, this attack is practically harder to perform on public reachable systems in the Internet rather on local ones (such as in the Intranet) because a possible attacker requires a broad upload network bandwith to be effective.

The second parameter of PHP tempnam() is, according to the PHP documentation, only a prefix and thus $tmpname as return value of the tempnam() call in senddocument.php should not be predictable (for local race conditions).

Reproducability

Even the following commands could be used to actively exploit and abuse this flaw they are only made public to analyze if the system in question is vulnerable or not. A system with Zarafa WebAccess is affected if the following command proofs the existence of the file /usr/share/zarafa-webaccess/senddocument.php:

tux:~ # ls -l /usr/share/zarafa-webaccess/
total 40
drwxr-xr-x. 7 root root 4096 Sep 9 17:12 client
lrwxrwxrwx. 1 root root 37 Sep 9 17:12 config.php -> /etc/zarafa/webaccess-ajax/config.php
-rw-r--r--. 1 root root 3047 Sep 3 09:56 defaults.php
-rw-r--r--. 1 root root 8550 Sep 3 09:56 index.php
lrwxrwxrwx. 1 root root 33 Sep 9 17:12 plugins -> /var/lib/zarafa-webaccess/plugins
-rw-r--r--. 1 root root 315 Sep 3 09:56 senddocument.php
drwxr-xr-x. 6 root root 4096 Sep 9 17:12 server
-rw-r--r--. 1 root root 3109 Sep 3 09:56 static.php
-rw-r--r--. 1 root root 6806 Sep 3 09:56 zarafa.php
tux:~ #

When using Zarafa WebApp rather Zarafa WebAccess the following command can be used. The system is affected if the file /usr/share/zarafa-webapp/senddocument.php exists:

tux:~ # ls -l /usr/share/zarafa-webapp/
total 64
drwxr-xr-x. 8 root root 4096 Sep 21 00:42 client
lrwxrwxrwx. 1 root root 29 Sep 9 17:12 config.php -> /etc/zarafa/webapp/config.php
-rw-r--r--. 1 root root 4382 Sep 3 10:55 defaults.php
-rw-r--r--. 1 root root 14079 Sep 3 10:55 index.php
-rw-r--r--. 1 root root 247 Sep 3 10:55 init.php
drwxr-xr-x. 2 root root 4096 Sep 9 17:12 mapi
drwxr-xr-x. 20 root root 4096 Oct 9 12:00 plugins
-rw-r--r--. 1 root root 450 Sep 3 10:55 senddocument.php
drwxr-xr-x. 8 root root 4096 Sep 21 00:47 server
-rw-r--r--. 1 root root 10 Sep 3 10:57 version
-rw-r--r--. 1 root root 8575 Sep 3 10:55 zarafa.php
tux:~ #

Workaround

Until a fixed version of the Zarafa WebAccess is available (or for a system where a possible future update can not be applied for different reasons) the following command can be used to remove the vulnerable PHP script:

tux:~ # rm -f /usr/share/zarafa-webaccess/senddocument.php
tux:~ #

When using Zarafa WebApp rather Zarafa WebAccess the following command can be used to remove the vulnerable PHP script.

tux:~ # rm -f /usr/share/zarafa-webapp/senddocument.php
tux:~ #

Both command sections above are however only treated as a workaround because a possible non-fixed intermediate update of Zarafa WebAccess or Zarafa WebApp might reintroduce the vulnerability again.

Solution

As there are fixed releases of the Zarafa WebAccess and the Zarafa WebApp available, an update is highly recommented over any workaround.

Possibly affected versions

Affected versions

Fixed versions

CVE information

The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2014-9465 was assigned on January 3, 2015. Currently, the following other identifications are known for this issue:

Disclosure timeline

Credit

This vulnerability was discovered, analyzed and reported by Robert Scheck.

Robert Scheck would like to thank Murray McAllister of the Red Hat Security Response Team for his time and support.

Legal notices

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an as is condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.