Bug 1133439 (CVE-2014-5447, CVE-2014-5448, CVE-2014-5449, CVE-2014-5450) - CVE-2014-5447 CVE-2014-5448 CVE-2014-5449 CVE-2014-5450 zarafa: multiple default permission issues
Summary: CVE-2014-5447 CVE-2014-5448 CVE-2014-5449 CVE-2014-5450 zarafa: multiple defa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-5447, CVE-2014-5448, CVE-2014-5449, CVE-2014-5450
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20140824,reported=2...
Depends On: 1133441 1133442
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-25 07:22 UTC by Murray McAllister
Modified: 2019-06-08 20:09 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-05 17:02:41 UTC


Attachments (Terms of Use)

Description Murray McAllister 2014-08-25 07:22:21 UTC
Robert Scheck reported a number of issues with the default permissions in Zarafa[1]:

""
1. In order to fix CVE-2014-0103, Zarafa introduced constants PASSWORD_KEY
and PASSWORD_IV in /etc/zarafa/webaccess-ajax/config.php (Zarafa WebAccess)
and /etc/zarafa/webapp/config.php (Zarafa WebApp), both are the upstream
path names of a default installation, downstream names might be different.
Both files have default permissions of root:root and 644, thus decryption
of the symmetric encrypted passwords in the on-disk PHP session files is
possible again (similar like initially described in CVE-2014-0103). Affects
Zarafa WebAccess >= 7.1.10, Zarafa WebApp >= 1.6 beta.

2. The log directory /var/log/zarafa/ is shipped by default with root:root
and 755 and all created log files by the Zarafa daemons have by default
root:root and 644. This is leaking (depending on the log level of the given
service) only e.g. subject, sender/recipient, message-id, SMTP queue id of
in- and outbound e-mails but might be even a cleartext protocol dump of
IMAP, POP3, CalDAV and iCal as well (including possible credentials) to any
local system user. Affects Zarafa >= 5.00.

3. The directories /var/lib/zarafa-webaccess/tmp/ (Zarafa WebAccess) and
/var/lib/zarafa-webapp/tmp/ (Zarafa WebApp) are read- and writable by the
Apache system user by default - but also world readable for local system
users (e.g. apache:apache and 755 on RHEL). Thus all the temporary session
data such as uploaded e-mail attachments can be read-only accessed because
all created files below previously mentioned directories have permissions
644, too. Upstream path names changed over the time and releases. Affects
Zarafa WebAccess >= 4.1, Zarafa WebApp (any version).

4. The optional (but proprietary) license daemon /usr/bin/zarafa-licensed
runs by default with root permissions, the subscription/license key is put
into '/etc/zarafa/license/*'. The license files are recommented (according
upstream documentation) to be created using echo(1) which usually leads to
root:root and 644. But the parent directory /etc/zarafa/license/ is shipped
by default with root:root and 755. As result the key files can be accessed
and copied by any local system user. Affects Zarafa >= 4.1.
""

[1] http://seclists.org/oss-sec/2014/q3/444

Comment 1 Murray McAllister 2014-08-25 07:23:42 UTC
Created zarafa tracking bugs for this issue:

Affects: fedora-all [bug 1133441]
Affects: epel-all [bug 1133442]

Comment 2 Robert Scheck 2014-08-25 20:41:21 UTC
Reported by me and assigned to me, nice :) Meanwhile they got CVE-2014-5447,
CVE-2014-5448, CVE-2014-5449, CVE-2014-5450 (in this order to 1-4 above). The
CVE-2014-5450 is not relevant for Fedora/EPEL through.

Comment 3 Fedora Update System 2014-08-30 03:55:13 UTC
zarafa-7.1.10-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2014-09-02 03:54:21 UTC
zarafa-7.1.10-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2014-09-02 03:54:49 UTC
zarafa-7.1.10-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-09-02 06:45:37 UTC
zarafa-7.1.10-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-11-09 15:40:45 UTC
zarafa-7.1.11-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.