Critical Vulnerabilities Addressed in SecurEnvoy SecurMail
Multiple critical vulnerabilities impacting SecurEnvoy SecurMail could result in an attacker being able to read encrypted emails and even delete or overwrite messages in an inbox.
SecurEnvoy SecurMail was meant to provide businesses with secure email communications and claims to be offering organizations the full advantages of encryption without the hassle of deployment or management operations.
This week, SEC Consult revealed information on seven critical vulnerabilities in the product that “break the core security promises of the product,” as they can expose sensitive information to attackers.
The flaws were discovered during a short testing period in November 2017, SEC Consult reveals in an advisory. The discovered vulnerabilities were recently addressed with the release of SecurMail 9.2.501, or hotfix patch “1_012018.”
“As other SecureEnvoy products (besides the analyzed SecurMail) appear to be highly integrated (all products are installed with a single setup file) we suspect other components to also suffer from severe security deficits,” SEC Consult notes.
The discovered vulnerabilities include two Cross Site Scripting (CVE-2018-7703, CVE-2018-7707) flaws residing in the lack of functionality to encode user input when creating HTML pages.
The security firm also found that there are no path traversal checks in the application (CVE-2018-7705, CVE-2018-7706), and that authorization checks are only partially implemented in the application, an Insecure Direct Object Reference (CVE-2018-7704) vulnerability. These flaws could allow a legitimate recipient to read mails sent to other recipients in plain text.
The application was also plagued with a Missing Authentication and Authorization (CVE-2018-7702) flaw, where no authentication was required on the SecurEnvoy server for a client to send emails. This could allow anyone with network access to the server to arbitrarily send emails spoofing other sender addresses.
The issue could also be exploited by attackers with network access to the server to resend previous communication to arbitrary recipients. Thus, they could extract all emails stored on the server and could also modify arbitrary messages.
SecurEnvoy SecurMail was also impacted by a Cross Site Request Forgery (CVE-2018-7701) vulnerability, as no protections against such flaws existed within the web interface. Thus, an attacker could delete a victim’s email or impersonate the victim and reply to their emails. Attacks are possible against the API used to send emails, which do not require authentication on the server.
“Since these vulnerabilities were found during a very short time frame, SEC Consult believes that the product may contain a large number of other security vulnerabilities. As already several core security promises have been broken during this short crash test, no further tests were conducted,” SEC Consult notes.
The vulnerabilities were found in SecurEnvoy SecurMail version 9.1.501 and were addressed with security patch “1_012018.” Version 9.2.501 of the software is no longer vulnerable.
In their advisory, SEC Consult also published proof-of-concept code for the discovered vulnerabilities.
Ionut Arghire is an international correspondent for SecurityWeek.