Bug 1133439 (CVE-2014-5447, CVE-2014-5448, CVE-2014-5449, CVE-2014-5450)

Summary: CVE-2014-5447 CVE-2014-5448 CVE-2014-5449 CVE-2014-5450 zarafa: multiple default permission issues
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jrusnack, redhat-bugzilla, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-05 17:02:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1133441, 1133442    
Bug Blocks:    

Description Murray McAllister 2014-08-25 07:22:21 UTC 
Robert Scheck reported a number of issues with the default permissions in Zarafa[1]:

""
1. In order to fix CVE-2014-0103, Zarafa introduced constants PASSWORD_KEY
and PASSWORD_IV in /etc/zarafa/webaccess-ajax/config.php (Zarafa WebAccess)
and /etc/zarafa/webapp/config.php (Zarafa WebApp), both are the upstream
path names of a default installation, downstream names might be different.
Both files have default permissions of root:root and 644, thus decryption
of the symmetric encrypted passwords in the on-disk PHP session files is
possible again (similar like initially described in CVE-2014-0103). Affects
Zarafa WebAccess >= 7.1.10, Zarafa WebApp >= 1.6 beta.

2. The log directory /var/log/zarafa/ is shipped by default with root:root
and 755 and all created log files by the Zarafa daemons have by default
root:root and 644. This is leaking (depending on the log level of the given
service) only e.g. subject, sender/recipient, message-id, SMTP queue id of
in- and outbound e-mails but might be even a cleartext protocol dump of
IMAP, POP3, CalDAV and iCal as well (including possible credentials) to any
local system user. Affects Zarafa >= 5.00.

3. The directories /var/lib/zarafa-webaccess/tmp/ (Zarafa WebAccess) and
/var/lib/zarafa-webapp/tmp/ (Zarafa WebApp) are read- and writable by the
Apache system user by default - but also world readable for local system
users (e.g. apache:apache and 755 on RHEL). Thus all the temporary session
data such as uploaded e-mail attachments can be read-only accessed because
all created files below previously mentioned directories have permissions
644, too. Upstream path names changed over the time and releases. Affects
Zarafa WebAccess >= 4.1, Zarafa WebApp (any version).

4. The optional (but proprietary) license daemon /usr/bin/zarafa-licensed
runs by default with root permissions, the subscription/license key is put
into '/etc/zarafa/license/*'. The license files are recommented (according
upstream documentation) to be created using echo(1) which usually leads to
root:root and 644. But the parent directory /etc/zarafa/license/ is shipped
by default with root:root and 755. As result the key files can be accessed
and copied by any local system user. Affects Zarafa >= 4.1.
""

[1] http://seclists.org/oss-sec/2014/q3/444
Comment 1 Murray McAllister 2014-08-25 07:23:42 UTC 
Created zarafa tracking bugs for this issue:

Affects: fedora-all [bug 1133441]
Affects: epel-all [bug 1133442]
Comment 2 Robert Scheck 2014-08-25 20:41:21 UTC 
Reported by me and assigned to me, nice :) Meanwhile they got CVE-2014-5447,
CVE-2014-5448, CVE-2014-5449, CVE-2014-5450 (in this order to 1-4 above). The
CVE-2014-5450 is not relevant for Fedora/EPEL through.
Comment 3 Fedora Update System 2014-08-30 03:55:13 UTC 
zarafa-7.1.10-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2014-09-02 03:54:21 UTC 
zarafa-7.1.10-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-09-02 03:54:49 UTC 
zarafa-7.1.10-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-09-02 06:45:37 UTC 
zarafa-7.1.10-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-11-09 15:40:45 UTC 
zarafa-7.1.11-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.