SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Novell GroupWise Vendors:   Novell
GroupWise Windows Client API Bug Lets Remote Authenticated Users Access E-mail
SecurityTracker Alert ID:  1019616
SecurityTracker URL:  http://securitytracker.com/id/1019616
CVE Reference:   CVE-2008-1330   (Links to External Site)
Date:  Mar 17 2008
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 7 SP3
Description:   A vulnerability was reported in GroupWise. A remote authenticated user can access a target user's e-mail.

A remote authenticated user that is the recipient of a shared folder from a target user can gain access to the target user's e-mail.

Impact:   A remote authenticated user can access a target user's e-mail in certain cases.
Solution:   The vendor has issued a fix.

The Novell advisory is available at:

http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5009020.html

Vendor URL:  support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5009020.html (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  CVE-2008-1330 - Security vulnerability in the GroupWise Windows client API

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Description:  CVE-2008-1330

A security vulnerability exists in the GroupWise Windows client API that can allow programmatic access to non-authorized email under
 certain conditions.  The attacker must first authenticate to GroupWise and be a recipient of a shared folder from another user. 
 The attacker could then exploit the vulnerability to gain unauthorized access to non-shared email in the mailbox of the sharer.

Cause: An unspecified error in the Windows client API

Workaround:  

Users that have shared folders with other users can protect their email by removing shared access until remedial steps have been completed.
   It is not necessary to delete the contents of the shared folders and they can be re-shared after the administrator has locked out
 older client versions.  
 
To remove shared access to a folder select the shared folder, click File > Sharing, then select Not shared.


Remedy:

For GroupWise 7 - Customers running GroupWise 7.0 clientsshould immediately upgrade all clients to GroupWise 7 SP3 (dated 09Mar2008)
 and lock out older clients viaConsoleOne.

GroupWise 6.5 Windows - Customers running GroupWise 6.5 Windows clientsshould immediately upgrade all Windows clients to the GroupWise
 6.5SP6 client Update 3(dated 11 Mar 2008), or upgrade to GroupWise 7SP3.  Older clients must be locked out via ConsoleOne.  
 
GroupWise 6.5 Linux - Customers running GroupWise 6.5 Linux or Mac clients should immediately upgrade to GroupWise 7 SP3 (dated 09
 Mar 2008).  

For GroupWise 6.0 and previous - Customers still running unsupportedGroupWise client versions (5.x and 6) shouldimmediately upgrade
 clients and servers to either GroupWise 6.5 SP6Update 3or to GroupWise 7 SP3.  Older clients must belocked out via ConsoleOne.

If Blackberry Enterprise Server (BES) is installed in a GroupWise 7environment thenupgrade the BES to a version which supports the
 GroupWise 7 client (BES 4.0 SP 7 or BES 4.1 SP4), and upgrade the GW client installed on the machine to 7.0 SP3 (dated 09 Mar 2008).
 
If Blackberry Enterprise Server (BES) is installed in a GroupWise 6.5environment thenupgrade the GW client installed on the machine
 to 6.5SP6 Client Update 3(dated 11 Mar 2008).

Special Instructions and Notes:

For instructions on locking out older client versions please refer to GroupWise documentation for your GroupWise version:
GroupWise 7:  http://www.novell.com/documentation/gw7/gw7_admin/index.html?page=/documentation/gw7/gw7_admin/data/adqaf1n.html 

GroupWise 6.5:  http://www.novell.com/documentation/gw65/index.html?page=/documentation/gw65/gw65_admin/data/adqaf1n.html

If running a mixed environment of 6.5 and 7.0 clients then make sure to lock out based on client release date rather than client version.
  The recommended date should be 08 Mar 2008 in order to ensure the system is not vulnerable.  


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQIVAwUBR92BEy6BSUNq5uyYAQJ8Sg/9FD/CDWXSrXR03YNehspNeC+FJ7y7J+xB
KNoKlSr3qSLIhkdOuzeKmmDxki/7XA5i41rfkR2vfqCinGefsTIPRlsZLoSmA97q
+KleTFP91xhtXrcDlP8OdBY93xXgi0bXCRhiUoxZY5Upc79LB/2zaQkdIEAZC1gW
pn9kwAlrsO+E2wfaKwdVuVgVirNeDPVtmetcB3sBPIAhjcIguPhimnQeDujeauXd
mbSztkY3hnP2X1YSYzef6VnwufsnaS0F9JHyp/BcDK/5qtlhPjOHfZWrqok7+ame
AHtCCIgMeOtlRfTuVoGmUWGb826/SHUFXoJ6Wv/CaEJYUyrQMgYiYWb55uOYtMET
hYXwJhVEQ2sGjgbrjoqAXKxxwGb0d1SbSGi/p75EgaRyCN8mPjYS/8MF5xijsX4z
qqjrutYtjqW31eZXLQJRSliIktlreZ7MsEfKJMNzTKOHhMsWKCLi91g6/QGRL8Sa
oX/9ovR43zNGLB1zfPUTQS5tyZkyPY0Jzql0GgvvcHxkxMT90UuvL7NqiIeCNDyi
8A+g1P5nkB2XhrUO3SGbmwA9M3Q7bVGzGz0WYHvSse9a6zx1pwRDOviP7Wf5pwmw
9cZy6K2NIj6M7vcqkpkXc25Gl6VazyLvO0zvImvkvRBDUCSRD8AZSPMKspGF0h7Z
NyLWESSPAmM=
=AtEB
-----END PGP SIGNATURE-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC