Novell Groupwise contains protocol implementation vulnerability allowing email to be viewed by unauthorized user

Overview

Novell GroupWise is an email storage program. Email is encrypted when stored. Usernames and passwords can be acquired by sniffing communications between the client and server.

Description

In Novell GroupWise email is stored as encrypted data. Clients and servers operating in Live Remote or Smart Caching mode improperly set a flag. This allows an attacker sniffing communications between the client and server to acquire usernames and passwords. As a result, an attacker can read all email stored in the GroupWise system on an account by account basis. The following versions of the clients and servers are affected by a this vulnerability:

* GroupWise 5.5 Enhancement Pack
* GroupWise 5.5 Enhancement Pack SP1
* GroupWise 5.5 Enhancement Pack SP2
* GroupWise 5.5 Enhancement Pack SP3
* GroupWise 6

Client and server versions of GroupWise 5.5 and prior, and GroupWise 6 SP1 are not vulnerable. Novell has released technical details regarding this vulnerability.

Impact

Any user on the system can read all emails on that system on an acount by account basis.

---

Solution

Novell has released a patch, available at <http://support.novell.com/padlock&gt;. Both the client and server must have patches applied.

---

Vendor Information

726891

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Novell __ Affected

Notified: August 06, 2001 Updated: January 28, 2002

Status

Affected

Vendor Statement

<http://support.novell.com/padlock/details.htm&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23726891 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/3189&gt;
• <http://support.novell.com/padlock/details.htm&gt;
• <http://support.novell.com/padlock&gt;

Acknowledgements

Our thanks to “Zig Ziggler” who reported this vulnerability to Novell and the CERT/CC.

This document was written by Jason Rafail.

Other Information

CVE IDs:	CVE-2001-1231
Severity Metric:	0.17 Date Public: