SECURITY ADVISORY
=================
Multiple issues were discovered in CipherMail Community Gateway and
Professional/Enterprise Gateway versions 1.0.1 through 4.7.1-0, and
Webmail Messenger 1.1.1 through 3.1.1-0. These vulnerabilities have been
fixed in CipherMail Community Gateway and Professional/Enterprise
Gateway 4.8.0-0 and Webmail Messenger 3.2.0-0. You may or may not be
affected by these issues depending on your use of the CipherMail
software. We recommend that you update your CipherMail installations, or
apply the minimal patches provided through the website and support portal.
CVE-2020-12713: Incorrect Access Control
----------------------------------------
Core Security discovered that it is possible to escalate privileges from
the web interface, when authenticated as an administrative user with the
'ROLE_ADMIN' role. The affected components are the Postfix main.cf
configuration editor (allowing escalation to the local root account) and
the backup restore functionality (allowing escalation to the local
djigzo account).
CipherMail Gateway 4.8.0-0 and Webmail Messenger 3.2.0-0 fix this
vulnerability by validating the main.cf input and asking for the 'sa'
system password before restoring a backup. The minimal patch also adds
validation of the main.cf input, but completely disables the backup
restore functionality in the web interface. Restoring from the command
line is still possible.
CVE-2020-12714: Inadequate Encryption Strength
----------------------------------------------
We discovered that the default Postfix configuration of CipherMail
virtual appliances contains a weak Diffie-Hellman parameter. This could
compromise communications between SMTP clients and CipherMail products.
The vulnerability should only be an issue in case you rely on TLS for
security of inter-mailserver SMTP traffic (for example, with DANE and
STARTTLS).
CipherMail Gateway 4.8.0-0 and Webmail Messenger 3.2.0-0 fix this
vulnerability by configuring Postfix to use a stronger Diffie-Hellman
parameter. The minimal patch does exactly the same.
More information
----------------
Customers with a support contract can contact our support desk at
support(a)ciphermail.com. We can help you figure out whether you are
affected by these vulnerabilities and can assist you with updating or
patching your installations.
Some background information on these vulnerabilities and patch
instructions can be found on our blog:
https://www.ciphermail.com/blog/ciphermail-cve-2020-12713_2020-12714.html
--
Imre Jonk
System Administrator
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF encryption and secure webmail pull.
W: https://www.ciphermail.com/
E: info(a)ciphermail.com
T: +31 20 290 0088