Researchers find critical flaws in SecurEnvoy SecurMail, patch now!
If you’re a user of SecurEnvoy SecurMail and you haven’t yet implemented the latest patch, do so now – or risk getting your encrypted emails read by attackers.
The warning comes from SEC Consult researchers, who discovered a number of vulnerabilities in the product that break its core security promises.
The vulnerabilities
They found seven CVE-assigned flaws, including path traversal and insecure direct object reference vulnerabilities that could allow a legitimate recipient to read emails sent to other recipients in plain text, and a missing authentication and authorization flaw that could allow an attacker to extract or modify emails stored on the server or overwrite or delete e-mails stored in other users’ inboxes.
And that is likely just the beginning.
“The software package features multiple different components (e.g., 2 factor/token auth) where we only took a look at the ‘SecurMail’ application,” Johannes Greil, the Head of SEC Consult Vulnerability Lab, told Help Net Security.
“As we have identified several critical vulnerabilities within a very short time frame [during a brief crash test] we expect numerous other vulnerabilities to be present. As other SecureEnvoy products (besides the analyzed SecurMail) appear to be highly integrated (all products are installed with a single setup file) we suspect other components to also suffer from severe security deficits.”
Recommendations
In general, they do not recommend the used of SecurMail and other SecurEnvoy products until a comprehensive security audit has been performed and state of the art security mechanisms have been adopted.
But, for those who would still like to continue using SecurMail, the company has provided a patch earlier this month that fixes the seven vulnerabilities reported by SEC Consult.
“Customers of SecurEnvoy should immediately apply the security patch ‘1_012018’ or update to version 9.2.501 of the software,” the researchers advised.
More details about the vulnerabilities as well as Proof-of-Concept exploits for them can be found in this security advisory.