-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple Pre-Authentication Vulnerabilities in MailEnable SMTP [MU-200609-01]
September 29, 2006

http://labs.musecurity.com/advisories.html

Affected Product/Versions:

MailEnable Professional 2.0
MailEnable Enterprise 2.0

Product Overview:

"MailEnable's mail server software provides a powerful, scalable
hosted messaging platform for Microsoft Windows. MailEnable offers
stability, unsurpassed flexibility and an extensive feature set which
allows you to provide cost-effective mail services."

Vulnerability Details:

All three pre-authentication vulnerabilities are in the SMTP connector during
the NTLM authentication process, two of which can lead to arbitrary code
execution on the server. NTLM authentication is disabled by default, but can
be turned on by the administrator using the Messaging Manager. NTLM
authentication is unavailable in the Standard versions of MailEnable.

The first vulnerability is a buffer overflow while processing the signature
field of NTLM Type1 messages, leading to arbitrary code execution.

The second vulnerability is an out of bounds read while processing security
buffers in the base64 encoded NTLM Type1 message, leading to a denial of
service.

The third vulnerability is an out of bounds read during base64 decoding of
Type3 messages, leading to arbitrary code execution.

Vendor Response / Solution:

All users of MailEnable are recommended to immediately apply the hotfixes
available from the following URL:
http://www.mailenable.com/hotfix/MESMTP-060930.zip

All hotfixes are available from:
http://www.mailenable.com/hotfix

Mu Security would like to thank the MailEnable team for timely remediation of
these vulnerabilities.

History:

09/25/06 - First contact with the vendor
09/27/06 - Hotfix available for the vulnerabilities
09/29/06 - Advisory released

Credit:

These vulnerabilities were discovered by the Mu Security research team.

http://labs.musecurity.com/pgpkkey.txt

Mu Security offers a new class of security analysis system, delivering a
rigorous and streamlined methodology for verifying the robustness and security
readiness of any IP-based product or application. Founded by the pioneers of
intrusion detection and prevention technology, Mu Security is backed by
preeminent venture capital firms that include Accel Partners, Benchmark
Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For
more information, visit the company's website at http://www.musecurity.com.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (Darwin)

iD8DBQFFHYNxMl+docYeP+YRAuTOAJ9lMgKyRqpKFcd2M/16KRbGKYP7hQCgkh8t
sXxOWSX8VLlncvT8zvw3kvo=
=j0nl
-----END PGP SIGNATURE-----