[CipherMail Security] CipherMail security advisory 2022-04-26

SECURITY ADVISORY ================= A security issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. The vulnerability has been fixed in CipherMail Webmail Messenger 4.2.1. We recommend that you update your CipherMail Webmail Messenger installations. CVE-2022-28218: Insecure Permissions ------------------------------------ A local attacker can read a Roundcube configuration file that contains secret keys. These keys are used to encrypt passwords and authenticate login requests. An attacker with access to these keys could circumvent two-factor authentication and possibly decrypt passwords. Applying the 4.2.1 update will cause the secret keys to be rotated. This will force all users to log in again. Customers who are still using the 3.4.0 release on CentOS 7 can use the following procedure to mitigate the vulnerability: 1. Connect to the CipherMail Console interface and choose    'File' -> 'Open shell' to get a shell. 2. Change directory:    $ cd /usr/share/roundcube-ciphermail/roundcube/config 3. Set ACL:    $ sudo setfacl -m u:apache:r,u:djigzo-jetty:r local.config.inc.php 4. Set secure permissions:    $ sudo chmod 640 local.config.inc.php 5. Clear old secrets:    $ sudo sh -c 'echo "<?php" > local.config.inc.php' 6. Generate new secrets:    $ sudo systemctl restart roundcube-ciphermail 7. Restart the frontend:    $ sudo systemctl restart djigzo-jetty More information ---------------- Customers with a support contract can contact our support desk at support(a)ciphermail.com. We can help you figure out whether you are affected by these vulnerabilities and can assist you with securing your installations. -- Imre Jonk IT Automation Engineer CipherMail B.V.