[NT] Novell GroupWise Authentication Bypass
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 29 Jun 2006 14:25:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Novell GroupWise Authentication Bypass
------------------------------------------------------------------------
SUMMARY
" <http://www.novell.com/products/groupwise/> Novell GroupWise is a
complete collaboration software solution that provides information workers
with e-mail, calendaring, instant messaging, task management, and contact
and document management functions."
Improper design allows attackers to bypass authentication using Novell
GroupWise.
DETAILS
Vulnerable Systems:
* Novell GroupWise 5.x
* Novell GroupWise 6.0
* Novell GroupWise 6.5
* Novell GroupWise 7
* Novell GroupWise 32-bit Client
A security vulnerability exists in the GroupWise Windows Client API that
can allow random programmatic access to non-authorized email within the
same authenticated post office.
Vendor Status:
* For GroupWise 7 - Customers running GroupWise 7.0 Windows Clients
should immediately upgrade all Windows clients to GroupWise 7 SP1 (dated
19 Jun 2006) and lock out older Windows clients via ConsoleOne.
* For GroupWise 6.5 - Customers running GroupWise 6.5.x Windows Clients
should immediately upgrade all Windows clients to the GroupWise 6.5 SP6
Client Update 1 (dated 27 Jun 2006), or upgrade to GroupWise 7 SP1. Older
Windows clients must be locked out via ConsoleOne.
* For GroupWise 6.0 and previous - Customers still running unsupported
GroupWise versions (5.x and 6) of the Windows Clients should immediately
upgrade clients and servers to either GroupWise 6.5 SP6 Update 1 or to
GroupWise 7 SP1. Older Windows clients must be locked out via ConsoleOne.
* If Blackberry Enterprise Server (BES) is installed in a GroupWise 7
environment then make sure to lock out based on client date rather than
client version, as the recommended BES configuration is still to use the
GroupWise 6.5 client. The recommended date should be June 13 2006 in
order to ensure that the system is not vulnerable.
Patch Location:
GroupWise 6.5 <http://support.novell.com/filefinder/16963/index.html>
http://support.novell.com/filefinder/16963/index.html
GroupWise 7 <http://support.novell.com/filefinder/20641/index.html>
http://support.novell.com/filefinder/20641/index.html
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3268>
CVE-2006-3268
ADDITIONAL INFORMATION
The information has been provided by <mailto:secure@xxxxxxxxxx> Novell
Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Cisco Web-Browser Interface Vulnerability
- Next by Date: [NEWS] Cisco Wireless Control System Multiple Vulnerabilities
- Previous by thread: [NEWS] Cisco Web-Browser Interface Vulnerability
- Next by thread: [NEWS] Cisco Wireless Control System Multiple Vulnerabilities
- Index(es):
Relevant Pages
|
