MS-ISAC ADVISORY NUMBER:
2008-017 Updated

DATE(S) ISSUED:
4/30/2008
5/9/2008 - Updated

SUBJECT:
Novell GroupWise Buffer Overflow Vulnerability

ORIGINAL OVERVIEW:

A vulnerability in the Novell GroupWise System (Novell's Email system) has been identified. Successful exploitation of this vulnerability will allow an attacker to execute arbitrary code in the context of the application. This can result in an attacker gaining the same user privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges. This could lead to complete control of the compromised system.

UPDATED OVERVIEW:
Novell has confirmed that this vulnerability only affects GroupWise 7.0.0. GroupWise 7.0.0 SP1 and later are not vulnerable.

ORIGINAL SYSTEMS AFFECTED:

  • Novell GroupWise 7.0.0
  • Novell GroupWise 7.0.0 SP1
  • Novell GroupWise 7.0.0 SP2
  • Novell GroupWise 7.0.0 SP3
  • Other versions may be affected

UPDATED SYSTEMS AFFECTED UPDATED:

  • Novell GroupWise 7.0.0
  • GroupWise 7.0.0 SP1 and later are not vulnerable

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: N/A

ORIGINAL DESCRIPTION:
A new vulnerability in the Novell GroupWise System was discovered which affects the client-side application of Novell GroupWise. The application is prone to a buffer overflow vulnerability due to the in-adequate boundary checks on user supplied data. The end user only needs to view a malicious HTML formatted email or click on a specially crafted link designed to exploit this vulnerability. An attacker who successfully exploits an affected system could execute arbitrary code in the context of the application which can lead to complete control of the system. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges. Failed attempts will result in a denial of service.

Currently there is proof-of-concept for the exploit available. Patches are not yet available.

UPDATED DESCRIPTION:
Novell has confirmed that this vulnerability only affects GroupWise 7.0.0. GroupWise 7.0.0 SP1 and later are not vulnerable.

ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken:

  • Logon to your systems as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Employ the principle of least privilege whenever possible.
  • Do not open HTML formatted email, click on HTML links provided in an email, or open email attachments from an un-trusted source.

UPDATED RECOMMENDATIONS:

  • To resolve this issue, customers running unpatched GroupWise 7.0 should upgrade to GroupWise 7 SP1 or later.

ORIGINAL REFERENCES:
SecurityFocus:
http://www.securityfocus.com/bid/28969(New Window)

FrSIRT:
http://www.frsirt.com/english/advisories/2008/1393(New Window)

UPDATED REFERENCES:
Novell:
 http://support.novell.com/Platform/Publishing/291/7000314_f.1.html(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.