The following cyber advisory was issued by the New York State Office of Cyber Security (OCS) and is
intended for State government entities. The information may or may not be applicable to the
general public and accordingly, the State does not warrant its use for any specific purposes.

OCS ADVISORY NUMBER:
2013-007

DATE(S) ISSUED:
02/01/2013

SUBJECT:
Multiple Vulnerabilities in Novell GroupWise Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Novell GroupWise that could allow for remote code execution. Novell GroupWise is a collaborative software product that includes: e-mail, calendars, instant messaging and document management.  These vulnerabilities can be exploited if a user visits a specially crafted web page.  Successful exploitation could allow an attacker to gain the same privileges as the affected user. An attacker could then install programs; view, change, or delete data; or create new accounts. Unsuccessful exploitation attempts may result in a denial-of-service.

SYSTEMS AFFECTED:

  • GroupWise Client for Windows 8.0x up to and including 8.0.3 HP1
  • GroupWise Client for Windows 2012 up to and including 2012.0 SP1

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High 

Home users: N/A

DESCRIPTION:
Multiple vulnerabilities have been discovered in GroupWise that can lead to remote code execution due to an ActiveX exploit or untrusted pointer dereference errors.

The GroupWise Client for Windows has a vulnerability in the ActiveX Control that can be exploited when a user opens a specially crafted file or visits a specially crafted web page. The remote attacker could then execute arbitrary code on vulnerable installations of Novell GroupWise.

The GroupWise Client for Windows is vulnerable to multiple untrusted pointer dereference vulnerabilities. These untrusted pointer dereference vulnerabilities could then be exploited by a remote attacker to compromise a vulnerable system.

These vulnerabilities could be exploited via a specially crafted e-mail or specially crafted website. In the e-mail based scenario, the user would have to open the specially crafted file as an e-mail attachment. In the web based scenario, a user would visit a website and then open the specially crafted file that is hosted on the web page.

Successful exploitation could allow an attacker to gain the same privileges as the affected user. An attacker could then install programs; view, change, or delete data; or create new accounts. Unsuccessful exploitation attempts may result in a denial-of-service.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • For GroupWise 8 users, apply GroupWise 8.0.3 Hot Patch 2 (or later) to vulnerable systems immediately after appropriate testing.
  • For GroupWise 2012 users, apply GroupWise 2012 SP 1 Hot Patch 1 to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.

REFERENCES:
Novell:
http://www.novell.com/support/kb/doc.php?id=7011688
http://www.novell.com/support/kb/doc.php?id=7011687 

SecurityFocus:
http://www.securityfocus.com/bid/57657
http://www.securityfocus.com/bid/57658 

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0804