|
ADVISORY
cirosec GmbH
http://www.cirosec.de
CVE-Name: CVE-2007-2513
Vendor-Status: Patched
Risk: MEDIUM
------------------------------------------------------------------------
| Vendor: |
Novell (http://www.novell.com) |
| Affected Product: |
GroupWise |
| Affected OS's: |
Server: NetWare, Linux, Windows |
| |
Client: Windows, Linux, Macintosh |
| |
|
| Vulnerability reported: |
23.04.2007 |
| Patch provided for review: |
07.05.2007 |
| Patch approved by cirosec: |
21.05.2007 |
| Patch made public: |
31.05.2007 |
Vulnerability Explanation:
A security vulnerability in the GroupWise system that allows a malicious user to intercept authentication credentials through a 'man in the middle' mechanism. Reported as CVE-2007-2513.
Resolution:
Customers should immediately upgrade all GroupWise Clients, including the GroupWise Outlook Connector, and all GroupWise Agents, MTA, POA, GWIA & Webaccess to GroupWise 7 sp2 software dated May 24th, 2007 or newer. Additionally, lock out all GroupWise Clients older than May 24th, 2007 via ConsoleOne. If using the GroupWise Exchange Migration Utility, this must also be updated.
Proof of Concept:
Exists but will not made public because of the german law.
POC-Output:
--------------8<-------------------
#
# GroupWise - Proof of Concept
# Version: 0.1
# Author: Andreas Schmidt
# Company: cirosec GmbH
#
+ setting up ssl mode ************
+ waiting for ssl-handshake ...
+ looks good
+ "Decrypted" Username:
cirosec
+ **************
+ got "encrypted packet"
+ ************************ :-)
+ *************************
+ "Decrypted" Password:
G3h3iM
--------------8<-------------------
Credits:
This vulnerability was discovered by Andreas Schmidt, cirosec GmbH (http://www.cirosec.de).
Technical Details:
Will not be made public before August 2007.
|
