Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2014-2021 Tenable Network Security, Inc.MANDRIVA_MDVSA-2014-182.NASL
HistorySep 25, 2014 - 12:00 a.m.

Mandriva Linux Security Advisory : zarafa (MDVSA-2014:182)

2014-09-2500:00:00
This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.
www.tenable.com
12
JSON

Updated zarafa packages fix security vulnerabilities :

Robert Scheck reported that Zarafa’s WebAccess stored session information, including login credentials, on-disk in PHP session files. This session file would contain a user’s username and password to the Zarafa IMAP server (CVE-2014-0103).

Robert Scheck discovered that the Zarafa Collaboration Platform has multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448, CVE-2014-5449, CVE-2014-5450).

#%NASL_MIN_LEVEL 70300

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandriva Linux Security Advisory MDVSA-2014:182. 
# The text itself is copyright (C) Mandriva S.A.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(77839);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2014-0103", "CVE-2014-5447", "CVE-2014-5448", "CVE-2014-5449", "CVE-2014-5450");
  script_bugtraq_id(68247, 69362, 69365, 69369, 69370);
  script_xref(name:"MDVSA", value:"2014:182");

  script_name(english:"Mandriva Linux Security Advisory : zarafa (MDVSA-2014:182)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mandriva Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated zarafa packages fix security vulnerabilities :

Robert Scheck reported that Zarafa's WebAccess stored session
information, including login credentials, on-disk in PHP session
files. This session file would contain a user's username and password
to the Zarafa IMAP server (CVE-2014-0103).

Robert Scheck discovered that the Zarafa Collaboration Platform has
multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448,
CVE-2014-5449, CVE-2014-5450)."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://advisories.mageia.org/MGASA-2014-0380.html"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64zarafa-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64zarafa0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-mapi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:python-MAPI");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-archiver");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-caldav");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-dagent");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-gateway");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-ical");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-indexer");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-monitor");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-spooler");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-utils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:zarafa-webaccess");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/09/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/25");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64zarafa-devel-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64zarafa0-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"php-mapi-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"python-MAPI-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-archiver-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-caldav-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-client-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-common-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-dagent-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-gateway-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-ical-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-indexer-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-monitor-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-server-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-spooler-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"zarafa-utils-7.1.8-1.1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", reference:"zarafa-webaccess-7.1.8-1.1.mbs1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
  else security_note(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
mandrivalinuxlib64zarafa-develp-cpe:/a:mandriva:linux:lib64zarafa-devel
mandrivalinuxlib64zarafa0p-cpe:/a:mandriva:linux:lib64zarafa0
mandrivalinuxphp-mapip-cpe:/a:mandriva:linux:php-mapi
mandrivalinuxpython-mapip-cpe:/a:mandriva:linux:python-mapi
mandrivalinuxzarafap-cpe:/a:mandriva:linux:zarafa
mandrivalinuxzarafa-archiverp-cpe:/a:mandriva:linux:zarafa-archiver
mandrivalinuxzarafa-caldavp-cpe:/a:mandriva:linux:zarafa-caldav
mandrivalinuxzarafa-clientp-cpe:/a:mandriva:linux:zarafa-client
mandrivalinuxzarafa-commonp-cpe:/a:mandriva:linux:zarafa-common
mandrivalinuxzarafa-dagentp-cpe:/a:mandriva:linux:zarafa-dagent
Rows per page:
1-10 of 191

Related

mageia 1
securityvulns 2
openvas 8
nessus 4
fedora 8
cve 5
ubuntucve 4
prion 5
mageia
mageia
Updated zarafa packages fix multiple vulnerabilities
2014-09-22 12:31:24
securityvulns
securityvulns
[ MDVSA-2014:182 ] zarafa
2014-10-14 00:00:00
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2014-10-14 00:00:00
openvas
openvas
Fedora Update for zarafa FEDORA-2014-9754
2014-08-31 00:00:00
Fedora Update for zarafa FEDORA-2014-9768
2014-09-03 00:00:00
Fedora Update for zarafa FEDORA-2014-7896
2014-07-28 00:00:00
nessus
nessus
Fedora 19 : zarafa-7.1.10-4.fc19 (2014-9768)
2014-09-03 00:00:00
Fedora 20 : zarafa-7.1.10-4.fc20 (2014-9754)
2014-08-30 00:00:00
Fedora 19 : zarafa-7.1.10-2.fc19 (2014-7889)
2014-07-28 00:00:00
fedora
fedora
[SECURITY] Fedora 19 Update: zarafa-7.1.10-4.fc19
2014-09-02 06:45:25
[SECURITY] Fedora 20 Update: zarafa-7.1.10-4.fc20
2014-08-30 03:55:03
[SECURITY] Fedora 20 Update: zarafa-7.1.10-2.fc20
2014-07-28 03:24:40
cve
cve
CVE-2014-5447
2014-10-20 15:55:00
CVE-2014-5450
2018-03-19 21:29:00
CVE-2014-5448
2014-10-20 15:55:00
ubuntucve
ubuntucve
CVE-2014-5447
2014-10-20 00:00:00
CVE-2014-5450
2018-03-19 00:00:00
CVE-2014-5449
2014-10-20 00:00:00
prion
prion
Design/Logic Flaw
2014-10-20 15:55:00
Information disclosure
2018-03-19 21:29:00
Design/Logic Flaw
2014-10-20 15:55:00
JSON
Related for MANDRIVA_MDVSA-2014-182.NASL
mageia1securityvulns2openvas8nessus4fedora8cve5ubuntucve4prion5