Thursday, June 23, 2005

GroupWise Password Security Issue

I'm not sure if you've heard of this "GroupWise Flaw".
Here are some links that have come through my email inbox. I'm sharing this information with you.

Novell in trouble over GroupWise flaw - ZDNET Australia

Novell GroupWise Plain Text Password Vulnerability

Overview: A Vulnerability exsists in the Novell GroupWise Client that will allow an attacker to identify the id and password of the users GroupWise email account.

Technical Description:
The username and password can be dumped out of memory for the process grpWise.exe while GroupWise is running. Using a tool such a pmdump to dump the memory of the process the username and password are clearly visible in plain text. This can be exploited remotely as well, by using pmdump with something like psexe form Sysinternals

Non Novell Consultant comment:
>>> "David F" 06/22/05 4:27 pm >>>
I ran a PMdump on the Grpwise.exe process. Yes the username and password are in clear text. The grpwise.exe dump was almost 80MB running it the way PMdump showed. I don't see this as much of a security risk as there is nothing in the dump that explcitly tells you, you are looking at a username and password. It is a lot of searching, you can't just type in the word "username" in a find box and find out what you need. You'd need to have implicit knowledge of what you were looking for and the username.

Response from GWAVA:
Other messaging clients operating under the Windows XP platform might also exhibit this vulnerability as it is very common. Please refer to the Recommendations for best practices for reducing your risk for exposure.

Recommendations: Implement screen saver password protection and log out of mail clients when leaving your workstation unattended. Install the patch when it is made available by the vendor. Migrating to Linux based Desktops such as Novell Linux Desktop would also prevent this issue.

Solution - in progress:
Novell is treating this at the Highest Priority. Development is fully engaged in investigating and resolving this issue. Novell will make a public statement once a Patch is available.

This can only be exploited if someone has access to your workstation and is able to run applications against your machine. And of course, if GroupWise is left running unattended.

Workaround: Lock your workstation when you leave your desk OR exit GroupWise when you leave. Locking your Workstation should be common habit anyway or everything on your machine is vulnerable.

- Bucky

No comments: