A security issue was discovered in CipherMail Webmail Messenger 1.1.1
through 4.1.4. The vulnerability has been fixed in CipherMail Webmail
Messenger 4.2.1. We recommend that you update your CipherMail Webmail
CVE-2022-28218: Insecure Permissions
A local attacker can read a Roundcube configuration file that contains
secret keys. These keys are used to encrypt passwords and authenticate
login requests. An attacker with access to these keys could circumvent
two-factor authentication and possibly decrypt passwords.
Applying the 4.2.1 update will cause the secret keys to be rotated.
This will force all users to log in again.
Customers who are still using the 3.4.0 release on CentOS 7 can use the
following procedure to mitigate the vulnerability:
1. Connect to the CipherMail Console interface and choose
'File' -> 'Open shell' to get a shell.
2. Change directory:
$ cd /usr/share/roundcube-ciphermail/roundcube/config
3. Set ACL:
$ sudo setfacl -m u:apache:r,u:djigzo-jetty:r local.config.inc.php
4. Set secure permissions:
$ sudo chmod 640 local.config.inc.php
5. Clear old secrets:
$ sudo sh -c 'echo "<?php" > local.config.inc.php'
6. Generate new secrets:
$ sudo systemctl restart roundcube-ciphermail
7. Restart the frontend:
$ sudo systemctl restart djigzo-jetty
Customers with a support contract can contact our support desk at
support(a)ciphermail.com. We can help you figure out whether you are
affected by these vulnerabilities and can assist you with securing your
IT Automation Engineer
Show replies by date