CVE-2021-28994 – Kopano ical service

March 29, 2021

Written by
Categories: Featured, News
problem solving

We have recently been made aware of an issue in the Kopano ical service, which has been reported under CVE-2021-28994. This service, when (directly) exposed to the internet could be made to crash by sending a specially crafted request, leading to a Denial of Service.

Who is affected?

The Kopano ical software is certainly not mandatory, but it is part of a standard Kopano Groupware installation – when you install the software using the meta package ‘kopano-server-packages’ you will have it installed. Many system administrators have enabled the service. The problem exists in all versions of Kopano ical, and even in the Zarafa ical software (versions 6.30 and newer).

The Kopano ical software is not included in Kopano One – ical as a protocol is available but it is provided by Kopano KDav, which is set to replace kopano-ical in future versions of Kopano Groupware as well.

You are not affected by this issue when:

  • You are running Kopano One
  • You are not using kopano-ical (check if it is running with `ps aux | grep ical`)
  • You have kopano-ical exposed through a reverse proxy that sanitizes HTTP headers

How can the problem be mitigated?

The Kopano has developed a fix for this issue, which will be incorporated and made available software versions 8.7.x, 9.x and newer. Kopano Groupware versions 8.7.20 and newer contain the fix for the issue.

As a workaround, but in general as good practice you can run the kopano-ical service behind a reverse proxy. This can be a webserver of your choice. Below examples can be used for Nginx, Apache and Kopano Kweb:

Nginx

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:8080;
}
Apache
<VirtualHost *:8080>
 ProxyPreserveHost On
 ProxyPass / http://127.0.0.1:8080/
 ProxyPassReverse / http://127.0.0.1:8080/
 ServerName example.com
</VirtualHost>

Kweb

YOUR_PUBLIC_IP:8080 {
 proxy / 127.0.0.1:8080 {
  transparent
 }
}

How will it be solved in the software?

The Kopano development team is working on a resolution for the problem, which is currently being tested and prepared for release. In addition, the default configuration for the kopano-ical service has been adjusted so it will no longer listen on all public interfaces by default – this is in effect in Kopano Groupware versions 8.7.20 and newer. If you would like to expose the kopano-ical service to the internet, it is recommended to do so using a reverse proxy as described above.

Like is already the case in Kopano One, kopano-ical will be replaced by Kopano KDav in future versions of Kopano Groupware.

***********************************************************************

We are committed to constantly improving our software. If you notice an issue, please do not hesitate to contact us.