2192126 – (CVE-2022-26562) CVE-2022-26562: zarafa: Missing account validation in ECPAMAuthenticateUser()

Bug 2192126 (CVE-2022-26562) - CVE-2022-26562: zarafa: Missing account validation in ECPAMAuthenticateUser()

Summary: CVE-2022-26562: zarafa: Missing account validation in ECPAMAuthenticateUser()

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-26562
Product:	Fedora EPEL
Classification:	Fedora
Component:	zarafa
Sub Component:
Version:	epel7
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Robert Scheck
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-29 19:14 UTC by Robert Scheck
Modified:	2023-05-08 00:48 UTC (History)
CC List:	2 users (show)
Fixed In Version:	zarafa-7.1.14-6.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-08 00:48:52 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Robert Scheck 2023-04-29 19:14:12 UTC

An issue in provider/libserver/ECKrbAuth.cpp of Kopano-Core v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired.

References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26562
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016973
- https://jira.kopano.io/browse/KC-2021
- https://github.com/Kopano-dev/kopano-core/blob/master/provider/libserver/ECKrbAuth.cpp#L137

Comment 1 Robert Scheck 2023-04-29 21:23:52 UTC

The security flaw was introduced between Zarafa 6.30.0 RC 1e (Subversion Revision 14802) and 6.30.8 Final (Subversion Revision 18345) in provider/libserver/ECPamAuth.cpp and also affects Kopano Core <= 11.0.2.51 in provider/libserver/ECKrbAuth.cpp.

Comment 2 Fedora Update System 2023-04-29 22:27:12 UTC

FEDORA-EPEL-2023-342b96903b has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-342b96903b

Comment 3 Fedora Update System 2023-04-30 00:19:43 UTC

FEDORA-EPEL-2023-342b96903b has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-342b96903b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2023-05-08 00:48:52 UTC

FEDORA-EPEL-2023-342b96903b has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.