2020-003 Defects in the access restriction of Sympa SOAP/HTTP interface

The Sympa Community 2021-01-06 (Update)

Synopsis

A fix is available for defects in the access restriction of Sympa SOAP/HTTP interface.

Systems Affected

• All versions of Sympa prior to 6.2.60

Problem Description

Defects has been discovered in authenticateAndRun call of Sympa SOAP/HTTP interface by which access restriction can be bypassed, and therefore these things are allowed:

• bogus session ID
• the session ID which belongs to different user

As a result, any SOAP call can be executed.

For more details see References.

This problem does not apply to environments where the SOAP/HTTP server (sympa_soap_server.fcgi) is not running.

Impact

Attacker can execute any SOAP call by privileges of any Sympa accounts.

Workarounds

• Currently no workarounds are known except shutting down SOAP/HTTP service.

Solution

• Upgrade Sympa to version 6.2.60 or later

  • Source distribution: sympa-6.2.60.tar.gz
  • Binary distributions: Check release information by distributors.

or, if you have installed Sympa using earlier version of source distribution,

• Apply a patch:

  Patch for Sympa 6.2.28 to 6.2.58: sympa-6.2.58-sa-2020-003-r1.patch

  Patch for Sympa 6.2 to 6.2.24: sympa-6.2.24-sa-2020-003-r1.patch

  Patch for Sympa 6.1.25: sympa-6.1.25-sa-2020-003-r1.patch

CVE Numbers

CVE-2020-29668

References

• GitHub issue sympa-community/sympa#1041: Unauthorised full access via SOAP API due to illegal cookie
• Sympa 6.2.60 announce

Acknowledgements

The security flaw was initially reported by Stefan Brenner.

Change log

• 2021-01-04

  Initial version published.

• 2021-01-06

  Solution: Added reference to patches for version 6.2.24 or earlier.