Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Attackers Can Target Enterprises via GroupWise Collaboration Tool

Enterprise software maker Micro Focus has released patches for its GroupWise collaboration tool to address several critical vulnerabilities that expose organizations to remote attacks.

Enterprise software maker Micro Focus has released patches for its GroupWise collaboration tool to address several critical vulnerabilities that expose organizations to remote attacks.

GroupWise, a collaboration solution designed for large enterprises, provides email, task management, calendar, instant messaging, and contact and document management capabilities. The product is used by many organizations around the world, including in the government, educational and financial sectors.

Researchers at IT security services and consulting company SEC Consult discovered different types of vulnerabilities in GroupWise 2014 R2 SP1, which is the latest version of the product.

A quick analysis of the tool revealed that the administrator console is plagued by two reflected cross-site scripting (XSS) flaws that can be exploited to execute arbitrary JavaScript in the context of the targeted user and potentially hijack an admin’s session (CVE-2016-5760). As with all reflected XSS weaknesses, the attack only works if the attacker can convince the victim to click on a specially crafted link.

A more serious issue is a persistent XSS in the GroupWise WebAccess message viewer. The vulnerability (CVE-2016-5761) can be exploited by including the malicious code in an email and getting the victim to interact with that message.

Researchers also identified a heap-based buffer overflow affecting the GroupWise Post Office Agent and GroupWise WebAccess. According to SEC Consult, the flaw (CVE-2016-5762) can be triggered by entering a specially crafted value in the username or password fields of the login page.

“This is likely to affect the availability of the post office agent and could possibly be used to achieve remote code execution if other protection mechanisms are bypassed,” Micro Focus said in its own advisory.

It’s worth noting that the WebAccess login page is often accessible directly from the Internet. Attackers could access the installations of many government and educational institutions, including in the United States, United Kingdom, Austria, South Africa, Hungary, Bulgaria, Argentina and Canada.

Micro Focus was notified about the vulnerabilities in early July and it released a hot patch earlier this week. Users have been advised to update their installations to GroupWise 2014 R2 SP1 HP1 or later. SEC Consult has published proof-of-concept (PoC) code for each of the security holes.

This is not the first time the security firm has analyzed Micro Focus products. In July, the company reported finding critical issues in Micro Focus’ enterprise file management and collaboration tool Filr.

Related: McAfee Application Control Flaws Expose Critical Infrastructure

Related: Reuse of Cryptographic Keys Exposes Millions of IoT Devices

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...