Novell GroupWise Multiple Vulnerabilities

by Carol~ Moderator - 4/30/13 10:36 AM

In Reply to: VULNERABILITIES / FIXES - April 30, 2013 by Carol~ Moderator

Release Date : 2011-09-27
Last Update : 2013-04-30

Criticality level : Highly critical
Impact: Cross Site Scripting
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Software: Novell GroupWise Server 8.x

Description:
Multiple vulnerabilities have been reported in Novell GroupWise, which can be exploited by malicious users to conduct script insertion attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system and by malicious people to compromise a vulnerable system.

1) An integer truncation error exists in NgwiCalVTimeZoneBody::ParseSelf() within gwwww1.dll when GroupWise Internet Agent parses the "TZNAME" variable in vCalendar data. This can be exploited to cause a heap-based buffer overflow via a specially crafted e-mail containing an overly long "TZNAME" property value.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

2) A boundary error in GroupWise Internet Agent (gwia.exe) when handling requests for certain .css resources can be exploited to cause a limited stack-based buffer overflow via a specially crafted, overly long request to the HTTP interface (port 9850/TCP).

Successful exploitation of this vulnerability requires valid credentials to the service.

3) Input passed via the "Directory.Item.name" parameter when adding an organization to the address book, via the "Directory.Item.displayName" parameter when adding a new contact to the address book, and via the "Directory.Item.name" when adding a new resource to the address book is not properly sanitised in the WebAccess component before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

4) An unspecified error in GroupWise Internet Agent can be exploited to crash the service via specially crafted data.

5) An array-indexing error exists in NgwIRecurByWeekdayParam::bywdaylist() when GroupWise Internet Agent parses vCalendar data containing a comma-separated list of values for the BYDAY property in a calendar recurrence (RRULE). This can be exploited to cause heap-based buffer overflows via a specially crafted e-mail containing a malicious iCal file.

6) An indexing error in GroupWise Internet Agent when handling the BYWEEKNO property of a weekly calendar recurrence (RRULE) can be exploited to cause a memory corruption via a specially crafted e-mail containing a malicious iCal file.

7) An array-indexing error exists in NgwIRecurParam::integerList() when GroupWise Internet Agent parses vCalendar data containing a calendar recurrence (RRULE) property that supports a comma-separated list of values (i.e. BYMONTH, BYMONTHDAY, BYSECOND, BYHOUR, BYYEARDAY, BYWEEKNO, and BYSETPOS). This can be exploited to cause a heap-based buffer overflow via a specially crafted e-mail containing a malicious iCal file.

Successful exploitation of vulnerabilities #5, #6, and #7 may allow execution of arbitrary code.

8) The software bundles a vulnerable version of Oracle "Outside In" technology for viewing of various file attachments.

The vulnerabilities are reported in version 8.0.2 HP2. Prior versions may also be affected.

Solution:
Update to version 8.02 Hot Patch 3 or later.

Provided and/or discovered by:
1) Independently discovered by Carsten Eiram, Secunia Research and an anonymous person via iDefense.
2) Carsten Eiram, Secunia Research.
3) Joshua Tiago, Cirosec via Secunia.
4) The vendor credits James Ogden, Salford Software.
5) An anonymous person via ZDI and an anonymous person via iDefense.
6) An anonymous person via iDefense.
7) An anonymous person via iDefense.

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2011-66/
http://secunia.com/secunia_research/2011-67/

Novell:
http://www.novell.com/support/viewContent.do?externalId=7009208
http://www.novell.com/support/viewContent.do?externalId=7009210
http://www.novell.com/support/viewContent.do?externalId=7009214
http://www.novell.com/support/viewContent.do?externalId=7006378
http://www.novell.com/support/viewContent.do?externalId=7009212
http://www.novell.com/support/viewContent.do?externalId=7009215
http://www.novell.com/support/viewContent.do?externalId=7009216
http://www.novell.com/support/viewContent.do?externalId=7009207
http://www.novell.com/support/viewContent.do?externalId=7009213

iDefense:
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=943
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=944
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=945
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=947

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-285/
http://www.zerodayinitiative.com/advisories/ZDI-11-286/

iDefense:
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=943
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=944
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=945
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=946
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=947

http://secunia.com/advisories/43513