Is GroupWise vulnerable to the Mailsploit security issue?

  • 7022554
  • 15-Jan-2018
  • 15-Jan-2018

Environment

GroupWise 2014 R2 Support Pack 2
GroupWise 18

Situation

A hacker tries to get past software that filters or verifies the MIME head field:
From

They do this by injecting a null.
Nulls are not allowed in SMTP, so they encode the null in either B64 or Quote Printable encoding, which is allowed in the From field in the header.

The idea is that any software that scans the from will be fooled by the presence of legitimate text that follows the null, while client and other software will see the "hacked" From in from of the null.

The GWIA has no code that scans or verifies the FROM.
For features like Domain Keys Identified Mail (DKIM), we let GWAVA or third parties front us.

For GWIA and our client, what remains is to not allow the null injection to truncate the displayed from text.  If we can avoid the truncation then the recipient will see the oddness of the from and may suspect hacking.

Resolution

There are FTF builds that will correct this.  Open an SR and ask for the most current FTF for either GroupWise 2014 R2 or GroupWise 18