Attackers Target Enterprises Through Tool
Monday, August 29, 2016 @ 01:08 PM gHale
Patches are available for multiple vulnerabilities in Micro Focus’ GroupWise collaboration tool.
GroupWise provides email, task management, calendar, instant messaging, and contact and document management capabilities for large organizations.
SEC Consult discovered different types of vulnerabilities in GroupWise 2014 R2 SP1, which addresses the possibility for remote attacks.
A more serious issue is a persistent XSS in the GroupWise WebAccess message viewer.
The vulnerability, which has a case number of CVE-2016-5761, can end up leveraged by including the malicious code in an email and getting the victim to interact with that message.
Researchers also found a heap-based buffer overflow affecting the GroupWise Post Office Agent and GroupWise WebAccess.
That hole can come into play by entering a specially crafted value in the username or password fields of the login page.
“This is likely to affect the availability of the post office agent and could possibly be used to achieve remote code execution if other protection mechanisms are bypassed,” Micro Focus said in its advisory.
The WebAccess login page is often accessible directly from the Internet. That means attackers could access the installations of government and educational institutions, including in the United States, United Kingdom, Austria, South Africa, Hungary, Bulgaria, Argentina and Canada.
Micro Focus released a hot patch last week. Users have been advised to update their installations to GroupWise 2014 R2 SP1 HP1 or later. SEC Consult has published proof-of-concept (PoC) code for each of the security holes.