Thanks to a very dedicated user (Mike) a serious security issue has been found in the default configuration. This bug allows user to access data of any known email account on your system.
Details
zarafa-gateway.service and ical.service are executed as zarafa user. This causes zarafa-server to answer any request as if it came from the administrator. In this case credentials are not checked and every access is granted.
Who is affected?
– Everybody who installed ‘>= zarafa-server-7.2.4-100’ (beginning 2016-12-10) and used the installation script, which installed the default configuration
– Everybody who uses ‘>= zarafa-server-7.2.4-1’ (beginning 2016-08-19), used the default configuration, exposed ical / gateway service (127.0.0.1 => 0.0.0.0) and left the run_as_user unchanged (run_as_user=zarafa)
How to fix?
1) Update zarafa-server to ‘zarafa-server-7.2.4.29-155’. The fix is done during installation.
OR
2) Fix it manually…
$ vi /etc/zarafa/ical.cfg
run_as_user = nobody
run_as_group = nobody
$ vi /etc/zarafa/gateway.cfg
run_as_user = nobody
run_as_group = nobody
$ vi /usr/lib/tmpfiles.d/zarafa-tmpfiles.conf
d /run/zarafad 0777 zarafa zarafa
d /var/run/zarafad 0777 zarafa zarafa
$ rm /var/run/zarafad/ical.pid
$ rm /var/run/zarafad/gateway.pid
$ systemd-tmpfiles –create
$ systemd-tmpfiles –clean
$ systemctl restart zarafa-gateway
$ systemctl restart zarafa-ical
MartiMcFly