ISS X-Force Database: groupwise-windows-client-api-security-bypass(27550): Novell GroupWise Windows Client API unauthorized email access

Novell GroupWise Windows Client API unauthorized email access

groupwise-windows-client-api-security-bypass (27550)

Medium Risk

Description:

Novell GroupWise could allow attackers to bypass security restrictions and gain unauthorized access to other user's email, caused by an unspecified error in the Windows Client API. An attacker could exploit this vulnerability to gain unauthorized access to other users emails that use the same post office.

Consequences:

Bypass Security

Remedy:

For GroupWise 6.5:
Upgrade to the latest version of GroupWise 6.5 (SP6 Update 1 or later), as listed in Novell Technical Information Document TID2974006. See References.

For GroupWise 7.0:
Upgrade to the latest version of GroupWise 7.0 (SP1 or later), as listed in Novell Technical Information Document TID2973921. See References.

References:

Full-Disclosure Mailing List, Thu Jun 29 2006 - 10:14:18 CDT: Novell Security Announcement NOVELL-SA:2006:001.
Novell Technical Information Document TID2973921: GroupWise 7 Client SP1 English Only.
Novell Technical Information Document TID2974006: GroupWise 6.5 SP6 Full Update 1.
Novell Technical Information Document TID2974006: GroupWise 6.5 SP6 Full Update 1.
BID-18716: Novell Groupwise Windows Client API Unauthorized Email Access Vulnerability
CVE-2006-3268: Unspecified vulnerability in the Windows Client API in Novell GroupWise 5.x through 7 might allow users to obtain random programmatic access to other email within the same post office.
SA20888: Novell GroupWise Windows Client Email Access Vulnerability
SECTRACK ID: 1016404: Novell GroupWise API May Let Remote Authenticated Users Access Random User E-mails
VUPEN/ADV-2006-2594: Novell GroupWise Windows Client API Unauthorized Email Access Vulnerability

Platforms Affected:

Novell GroupWise 32-bit Client
Novell GroupWise 5.2
Novell GroupWise 5.5
Novell GroupWise 6.0 SP3
Novell GroupWise 6.0 SP2
Novell GroupWise 6.0 SP1
Novell GroupWise 6.0 SP4
Novell GroupWise 6.0
Novell GroupWise 6.5 SP4
Novell GroupWise 6.5 SP5
Novell GroupWise 6.5
Novell GroupWise 6.5 SP3
Novell GroupWise 6.5 SP1
Novell GroupWise 6.5 SP2
Novell GroupWise 6.5.2
Novell GroupWise 6.5.3
Novell GroupWise 6.5.4
Novell GroupWise 7.0

Reported:

Jun 28, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page