Security Experts:

Attackers Can Target Enterprises via GroupWise Collaboration Tool

Enterprise software maker Micro Focus has released patches for its GroupWise collaboration tool to address several critical vulnerabilities that expose organizations to remote attacks.

GroupWise, a collaboration solution designed for large enterprises, provides email, task management, calendar, instant messaging, and contact and document management capabilities. The product is used by many organizations around the world, including in the government, educational and financial sectors.

Researchers at IT security services and consulting company SEC Consult discovered different types of vulnerabilities in GroupWise 2014 R2 SP1, which is the latest version of the product.

A quick analysis of the tool revealed that the administrator console is plagued by two reflected cross-site scripting (XSS) flaws that can be exploited to execute arbitrary JavaScript in the context of the targeted user and potentially hijack an admin’s session (CVE-2016-5760). As with all reflected XSS weaknesses, the attack only works if the attacker can convince the victim to click on a specially crafted link.

A more serious issue is a persistent XSS in the GroupWise WebAccess message viewer. The vulnerability (CVE-2016-5761) can be exploited by including the malicious code in an email and getting the victim to interact with that message.

Researchers also identified a heap-based buffer overflow affecting the GroupWise Post Office Agent and GroupWise WebAccess. According to SEC Consult, the flaw (CVE-2016-5762) can be triggered by entering a specially crafted value in the username or password fields of the login page.

“This is likely to affect the availability of the post office agent and could possibly be used to achieve remote code execution if other protection mechanisms are bypassed,” Micro Focus said in its own advisory.

It’s worth noting that the WebAccess login page is often accessible directly from the Internet. Attackers could access the installations of many government and educational institutions, including in the United States, United Kingdom, Austria, South Africa, Hungary, Bulgaria, Argentina and Canada.

Micro Focus was notified about the vulnerabilities in early July and it released a hot patch earlier this week. Users have been advised to update their installations to GroupWise 2014 R2 SP1 HP1 or later. SEC Consult has published proof-of-concept (PoC) code for each of the security holes.

This is not the first time the security firm has analyzed Micro Focus products. In July, the company reported finding critical issues in Micro Focus’ enterprise file management and collaboration tool Filr.

Related: McAfee Application Control Flaws Expose Critical Infrastructure

Related: Reuse of Cryptographic Keys Exposes Millions of IoT Devices

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.