CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Attackers Can Target Enterprises via GroupWise Collaboration Tool

Enterprise software maker Micro Focus has released patches for its GroupWise collaboration tool to address several critical vulnerabilities that expose organizations to remote attacks.

Enterprise software maker Micro Focus has released patches for its GroupWise collaboration tool to address several critical vulnerabilities that expose organizations to remote attacks.

GroupWise, a collaboration solution designed for large enterprises, provides email, task management, calendar, instant messaging, and contact and document management capabilities. The product is used by many organizations around the world, including in the government, educational and financial sectors.

Researchers at IT security services and consulting company SEC Consult discovered different types of vulnerabilities in GroupWise 2014 R2 SP1, which is the latest version of the product.

A quick analysis of the tool revealed that the administrator console is plagued by two reflected cross-site scripting (XSS) flaws that can be exploited to execute arbitrary JavaScript in the context of the targeted user and potentially hijack an admin’s session (CVE-2016-5760). As with all reflected XSS weaknesses, the attack only works if the attacker can convince the victim to click on a specially crafted link.

A more serious issue is a persistent XSS in the GroupWise WebAccess message viewer. The vulnerability (CVE-2016-5761) can be exploited by including the malicious code in an email and getting the victim to interact with that message.

Researchers also identified a heap-based buffer overflow affecting the GroupWise Post Office Agent and GroupWise WebAccess. According to SEC Consult, the flaw (CVE-2016-5762) can be triggered by entering a specially crafted value in the username or password fields of the login page.

“This is likely to affect the availability of the post office agent and could possibly be used to achieve remote code execution if other protection mechanisms are bypassed,” Micro Focus said in its own advisory.

It’s worth noting that the WebAccess login page is often accessible directly from the Internet. Attackers could access the installations of many government and educational institutions, including in the United States, United Kingdom, Austria, South Africa, Hungary, Bulgaria, Argentina and Canada.

Advertisement. Scroll to continue reading.

Micro Focus was notified about the vulnerabilities in early July and it released a hot patch earlier this week. Users have been advised to update their installations to GroupWise 2014 R2 SP1 HP1 or later. SEC Consult has published proof-of-concept (PoC) code for each of the security holes.

This is not the first time the security firm has analyzed Micro Focus products. In July, the company reported finding critical issues in Micro Focus’ enterprise file management and collaboration tool Filr.

Related: McAfee Application Control Flaws Expose Critical Infrastructure

Related: Reuse of Cryptographic Keys Exposes Millions of IoT Devices

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.