CVE-2015-6566

Vulnerability

Zarafa-autorespond in Zarafa Collaboration Platform (ZCP) before version 7.2.1 creates temporary files in /tmp/zarafa-vacation-* in an insecure manner, allowing a local attacker to perform a symlink attack. The vulnerability exists because the program does not securely handle the creation of temporary files, making it susceptible to following symbolic links.

Exploitation

A local user with the ability to create symlinks in /tmp can exploit this by pre-creating a symlink with a predictable name (e.g., /tmp/zarafa-vacation-) pointing to a file owned by a different user (such as a configuration file or a script). When zarafa-autorespond runs and writes to that temporary file, it follows the symlink and overwrites the target file. No authentication beyond local access is required.

Impact

Successful exploitation allows the attacker to overwrite arbitrary files on the system with the privileges of the zarafa-autorespond process, which typically runs as a privileged user. This can lead to local privilege escalation, potentially gaining root access if the overwritten file is a system configuration or executable.

Mitigation

The issue is fixed in Zarafa Collaboration Platform version 7.2.1 and later. Users should upgrade to this version or newer. No workarounds are documented in the available references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.