Thanks to a very dedicated user (Mike) a serious security issue has been found in the default configuration. This bug allows user to access data of any known email account on your system.
zarafa-gateway.service and ical.service are executed as zarafa user. This causes zarafa-server to answer any request as if it came from the administrator. In this case credentials are not checked and every access is granted.
Who is affected?
– Anybody who installed ‘>= zarafa-server-7.2.4-100’ (beginning 2016-12-10) and used the installation script, which installed the default configuration
– Anybody who uses ‘>= zarafa-server-7.2.4-1’ (beginning 2016-08-19), used the default configuration, exposed ical / gateway service (127.0.0.1 => 0.0.0.0) and left the run_as_user unchanged (run_as_user=zarafa)
How to fix?
1) Update zarafa-server to ‘zarafa-server-220.127.116.11-155’. The fix is done during installation.
2) Fix it manually…
$ vi /etc/zarafa/ical.cfg run_as_user = nobody run_as_group = nobody $ vi /etc/zarafa/gateway.cfg run_as_user = nobody run_as_group = nobody $ vi /usr/lib/tmpfiles.d/zarafa-tmpfiles.conf d /run/zarafad 0777 zarafa zarafa d /var/run/zarafad 0777 zarafa zarafa $ rm /var/run/zarafad/ical.pid $ rm /var/run/zarafad/gateway.pid $ systemd-tmpfiles –create $ systemd-tmpfiles –clean $ systemctl restart zarafa-gateway $ systemctl restart zarafa-ical