====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN235
_____________________________________________________________________

DATE                : 27/04/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Sympa versions prior to 6.2.62.

=====================================================================
https://sympa-community.github.io/security/2021-001.html
_____________________________________________________________________

2021-001 Inappropriate use of the cookie parameter

The Sympa Community 2021-04-27 (Initial version)


Synopsis

Inappropriate use of the cookie parameter can be a security threat. This
parameter may also not provide sufficient security.


Systems Affected

    All versions of Sympa prior to 6.2.62.


Problem Description

Earlier versions of Sympa require a parameter named “cookie” in
sympa.conf configuration file.

This parameter was used to make some identifiers generated by the system
unpredictable. For example, it was used as following:

    To be used as a salt to encrypt passwords stored in the database by
the RC4 symmetric key algorithm.

    Note that RC4 is no longer considered secure enough and is not
supported in the current version of Sympa.

    To prevent attackers from sending crafted messages to achieve XSS
and so on in message archives.

There were the following problems with the use of this parameter.

    This parameter, for its purpose, should be different for each
installation, and once set, it cannot be changed. As a result, some
sites have been operating without setting this parameter. This
completely invalidates the security measures described above.

    Even if this parameter is properly set, it may be considered not
being strong enough against brute force attacks.

For the above reasons, administrators are recommended to take the
measures detailed below.


Impact

Attacker can achieve XSS and so on in message archives.


Workarounds

If you are operating without setting the cookie parameter and you cannot
upgrade to the latest version of Sympa right now, set a value for this
parameter to mitigate security risks.

However, if you are using 6.2.40 or earlier, you need to upgrade your
RC4-encrypted passwords by running upgrade_sympa_password.pl (with
6.2.16 or later) or sympa.pl --md5_encode_password (earlier) before
setting this parameter.

Note that, when you set this parameter, you have to restart the all of
the services for Sympa you are running (Sympa services, WWSympa, Sympa
SOAP service).


Solution

The best solution is to upgrade to Sympa 6.2.62 or later which no longer
uses the cookie parameter.

Check “Upgrading Sympa” in the Administration Manual for upgrading
instruction.


CVE Numbers

None yet.


References

    GitHub issue sympa-community/sympa#1091: Obsolete cookie parameter


Change log

    2021-04-27

    Initial version published.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================