SEC Consult researchers launch the alert. They discovered a number of vulnerabilities in the product that break its core security promises.
Seven CVE-assigned flaws were identified, including path traversal and insecure direct object reference vulnerabilities that could allow a legitimate recipient to read emails sent to other recipients in plain text, and a missing authentication and authorization flaw that could allow an attacker to extract or modify emails stored on the server or overwrite or delete e-mails stored in other users’ inboxes.
“The software package features multiple different components (e.g., 2 factor/token auth) where we only took a look at the ‘SecurMail’ application,” Johannes Greil, the Head of SEC Consult Vulnerability Lab, told Help Net Security.
“As we have identified several critical vulnerabilities within a very short time frame [during a brief crash test] we expect numerous other vulnerabilities to be present. As other SecureEnvoy products (besides the analyzed SecurMail) appear to be highly integrated (all products are installed with a single setup file) we suspect other components to also suffer from severe security deficits.”
In general, they do not recommend the used of SecurMail and other SecurEnvoy products until a comprehensive security audit has been performed and state of the art security mechanisms have been adopted.
But, for those who would still like to continue using SecurMail, the company has provided a patch earlier this month that fixes the seven vulnerabilities reported by SEC Consult.
“Customers of SecurEnvoy should immediately apply the security patch ‘1_012018’ or update to version 9.2.501 of the software,” the researchers advised.
More details about the vulnerabilities as well as Proof-of-Concept exploits for them can be found in this security advisory.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.