Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Attackers Can Target Enterprises via GroupWise Collaboration Tool

Enterprise software maker Micro Focus has released patches for its GroupWise collaboration tool to address several critical vulnerabilities that expose organizations to remote attacks.

Enterprise software maker Micro Focus has released patches for its GroupWise collaboration tool to address several critical vulnerabilities that expose organizations to remote attacks.

GroupWise, a collaboration solution designed for large enterprises, provides email, task management, calendar, instant messaging, and contact and document management capabilities. The product is used by many organizations around the world, including in the government, educational and financial sectors.

Researchers at IT security services and consulting company SEC Consult discovered different types of vulnerabilities in GroupWise 2014 R2 SP1, which is the latest version of the product.

A quick analysis of the tool revealed that the administrator console is plagued by two reflected cross-site scripting (XSS) flaws that can be exploited to execute arbitrary JavaScript in the context of the targeted user and potentially hijack an admin’s session (CVE-2016-5760). As with all reflected XSS weaknesses, the attack only works if the attacker can convince the victim to click on a specially crafted link.

A more serious issue is a persistent XSS in the GroupWise WebAccess message viewer. The vulnerability (CVE-2016-5761) can be exploited by including the malicious code in an email and getting the victim to interact with that message.

Researchers also identified a heap-based buffer overflow affecting the GroupWise Post Office Agent and GroupWise WebAccess. According to SEC Consult, the flaw (CVE-2016-5762) can be triggered by entering a specially crafted value in the username or password fields of the login page.

“This is likely to affect the availability of the post office agent and could possibly be used to achieve remote code execution if other protection mechanisms are bypassed,” Micro Focus said in its own advisory.

It’s worth noting that the WebAccess login page is often accessible directly from the Internet. Attackers could access the installations of many government and educational institutions, including in the United States, United Kingdom, Austria, South Africa, Hungary, Bulgaria, Argentina and Canada.

Advertisement. Scroll to continue reading.

Micro Focus was notified about the vulnerabilities in early July and it released a hot patch earlier this week. Users have been advised to update their installations to GroupWise 2014 R2 SP1 HP1 or later. SEC Consult has published proof-of-concept (PoC) code for each of the security holes.

This is not the first time the security firm has analyzed Micro Focus products. In July, the company reported finding critical issues in Micro Focus’ enterprise file management and collaboration tool Filr.

Related: McAfee Application Control Flaws Expose Critical Infrastructure

Related: Reuse of Cryptographic Keys Exposes Millions of IoT Devices

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.