Novell in trouble over GroupWise flaw

Three months after being informed of a serious security vulnerability in its GroupWise collaboration suite, Novell is still struggling to release an effective fix for the problem, according to a security manager.

The problem allows an attacker to obtain login details remotely, according to Jeff Truedson, network security manager for lighting manufacturer Hubbell. "A GroupWise user could have someone accessing their e-mail, they would never even know it," he wrote in an e-mail publicly disclosing the vulnerability.

Truedson said he published details about the flaw after giving Novell almost three months to fix the issue. The problem affects versions 5.5, 6.5.2 and 6.0 of GroupWise on the Microsoft Windows platform.

According to Truedson, the vendor released a test version of a patch early in June with the aim of fixing the problem. ZDNet Australia  understands Novell subsequently acknowledged the patch was not effective. Truedson said he had not heard from the vendor for one month after that date.

A Novell spokesperson was not available to comment on the issue. The company's GroupWise worldwide support division is understood to be responsible for providing a fix.

Advertisement

Print feature brought to you by Adobe

Talkback 5 comments

    Novell should stick to what th ...Anonymous -- 22/06/05

    Novell should stick to what they know best.. Making a loss.. and making the wrong technology decisions. Too many paths no real direction.

    Same problem as always, try to ...Anonymous -- 23/06/05

    Same problem as always, try to be everthing to everybody, maybe a Microsoft clone but really good at nothing much anymore. More and more NetWare customers have lost the faith and are switching to anything but Novell branded

    Wow. Judging from the responce ...Anonymous -- 23/06/05

    Wow. Judging from the responces so far Microsoft is in serious trouble given that the inability to fix a single security issue within reasonable time is reason enough to drop the entire product or even anything a vendor has to offer.

    This is not exclusively a Nove ...Anonymous -- 24/06/05

    This is not exclusively a Novell or GroupWise problem. This is a common vulnerability for any application that caches passwords in plaintext. Other mail applications affected are Outlook and Thunderbird. GWAVA Security Research has performed further research and released the following security advisory (below). Note that I disagree with some of the recommendations made in this advisory (screensavers and exiting the application may not be effective countermeasures).

    *Clear Text Password Vulnerability in Common Mail Clients on Windows*

    /Issue Date: June 21, 2005
    Author: Joe Bertnick/

    /_*Threat Level: Low*_/

    *Overview:*

    Passwords stored in memory as clear text for multiple mail systems
    operating on Windows desktops.

    *Affected Systems:*

    /Outlook 2003/

    /GroupWise 6.5.4 (Windows Client Only)/

    /Thunderbird 1.02 (Windows Client Only)/

    /Note: Other messaging clients operating under the Windows XP
    platform
    might also exhibit this vulnerability as it is very common. Please
    refer to the Recommendations for best practices for reducing your
    risk
    for exposure./

    *Impact:*

    Unrestricted access to the mailbox of a single user and possible
    password usage on other systems where passwords are shared in common
    by applications or end-users.

    *Details:*

    This is a common vulnerability in many client applications operating
    on the Windows operating system. GWAVA Security Research elected to
    further research the vulnerability along multiple mail platforms and
    provide a work around for customers. We are continuing to test this
    under GroupWise and other mail platforms to find other workarounds.

    There are a number of applications that cache authentication
    information in memory as plain text. GroupWise, Outlook and
    Thunderbird mail clients all operate in this manner. With a client
    loaded into memory and authenticated to the mail system, someone
    could
    execute a memory dump of the application and recover the password.
    The
    password will always be located at the same offset.

    This issue was first reported via insecurity.org by the security team
    at truedson.com as a vulnerability in GroupWise. A link follows with
    the original posting.

    Users of Windows Desktopshould follow the recommendations listed
    below.

    *Recommendations:*

    Implement screen saver password protection and log out of mail
    clients
    when leaving your workstation unattended. Install the patch when it
    is
    made available by the vendor. Migrating to Linux based Desktops such
    as Novell Linux Desktop would also prevent this issue.

    *References:*

    Original Posting:
    http://seclists.org/lists/fulldisclosure/2005/Jun/0262.html

Add your opinion

Latest Videos

Sponsored content

Power Centre - Content from our premier sponsors

Blogs

  • Suzanne Tindal Love me, tender
    Considering how expensive and drawn-out tender processes can be to solve problems that might be very immediate, it's little wonder that the Victorian Police IT department tried to work the tender exemptions system.
  • Array 2009 funding drought rolls on
    For Australian start-ups looking for venture capital, 2009 was a very bad year. 2010 may be no better.
  • Array Can not-so-smart meters help the NBN?
    It was interesting to witness Conroy's recent enthusiasm to spruik the NBN's role in supporting the Smart Grid, Smart City initiative. What a pity that Conroy hadn't yet seen the damning report from the Victorian auditor-general about that state's smart-meter roll-out.
  • More blogs »

Tags

  1. 57 articles are tagged with accenture
  2. 237 articles are tagged with acquisition
  3. 41 articles are tagged with afact
  4. 140 articles are tagged with ato
  5. 1303 articles are tagged with broadband
  6. 60 articles are tagged with cepu
  7. 667 articles are tagged with cio
  8. 252 articles are tagged with conroy
  9. 132 articles are tagged with contract
  10. 46 articles are tagged with david thodey
  11. 9 articles are tagged with feed
  12. 129 articles are tagged with fujitsu
  13. 1031 articles are tagged with government
  14. 790 articles are tagged with hp
  15. 1304 articles are tagged with ibm
  16. 222 articles are tagged with iinet
  17. 350 articles are tagged with iphone
  18. 289 articles are tagged with isp
  19. 117 articles are tagged with legislation
  20. 13 articles are tagged with longhaus
  21. 35 articles are tagged with michael malone
  22. 1476 articles are tagged with microsoft
  23. 34 articles are tagged with mike quigley
  24. 50 articles are tagged with minchin
  25. 1126 articles are tagged with mobile
  26. 212 articles are tagged with national broadband network
  27. 389 articles are tagged with nbn
  28. 198 articles are tagged with new zealand
  29. 27 articles are tagged with nick minchin
  30. 929 articles are tagged with open source
  31. 882 articles are tagged with optus
  32. 20 articles are tagged with pipe networks
  33. 2650 articles are tagged with security
  34. 53 articles are tagged with senate
  35. 68 articles are tagged with separation
  36. 9 articles are tagged with sp telemedia
  37. 178 articles are tagged with stephen conroy
  38. 57 articles are tagged with strike
  39. 174 articles are tagged with sydney
  40. 60 articles are tagged with telecom nz
  41. 2434 articles are tagged with telstra
  42. 138 articles are tagged with tender
  43. 23 articles are tagged with thodey
  44. 31 articles are tagged with tpg
  45. 49 articles are tagged with twitter
  46. 110 articles are tagged with union
  47. 174 articles are tagged with victoria
  48. 201 articles are tagged with video
  49. 2 articles are tagged with win7au
  50. 88 articles are tagged with windows 7

Back to top

Featured