SEC Consult Vulnerability Lab Security Advisory < 20180312-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: SecurEnvoy SecurMail vulnerable version: 9.1.501 fixed version: 9.2.501 or hotfix patch "1_012018" CVE number: CVE-2018-7701, CVE-2018-7702, CVE-2018-7703, CVE-2018-7704, CVE-2018-7705, CVE-2018-7706, CVE-2018-7707 impact: Critical homepage: https://www.securenvoy.com/ found: 2017-11 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Sending and receiving encrypted emails is not an easy or simple experience. Businesses rely on email with an increasing amount of sensitive data sent across their networks. A revolutionary approach that doesn't suffer from the overheads of deployment and encryption management; just rock-solid security to give you 100% confidence in your business communications." URL: https://www.securenvoy.com/products/securmail/key-features.shtm Business recommendation: ------------------------ During a brief crash test of the SecurEnvoy SecurMail application several severe vulnerabilities have been identified that break the core security promises of the product. These vulnerabilities open the possibility for several different attack scenarios that allow an attacker to read other users' encrypted e-mails and overwrite or delete e-mails stored in other users' inboxes. As we have identified several critical vulnerabilities within a very short time frame we expect numerous other vulnerabilities to be present. As other SecureEnvoy products (besides the analyzed SecurMail) appear to be highly integrated (all products are installed with a single setup file) we suspect other components to also suffer from severe security deficits. We recommend not to use SecurEnvoy products (especially SecurMail) in a production environment until: * a comprehensive security audit has been performed and * state of the art security mechanisms have been adopted. Vulnerability overview/description: ----------------------------------- 1) Cross Site Scripting (CVE-2018-7703, CVE-2018-7707) SEC Consult did not find any functionality that encodes user input when creating HTML pages. Therefore persistent and reflected cross site scripting attacks are possible throughout the application. Some pages fail to properly decode URL encoded parameters. Because of this, cross site scripting cannot be exploited on these pages in most browsers. 2) Path Traversal (CVE-2018-7705, CVE-2018-7706) SEC Consult did not find any path traversal checks throughout the application. Since the application uses encrypted files as the primary method of data storage, this vulnerability can be exploited at several points. Using this vulnerability, a legitimate recipient can read mails sent to other recipients in plain text! 3) Insecure Direct Object Reference (CVE-2018-7704) Authorization checks are only partially implemented. This allows a legitimate recipient to read mails sent to other users in plain text. 4) Missing Authentication and Authorization (CVE-2018-7702) In order to send encrypted e-mails a client does not need to authenticate on the SecurEnvoy server. Therefore anyone with network access to the server can arbitrarily send e-mails that appear to come from an arbitrary sender address. Moreover, an attacker with network access to the server can re-send previous communication to arbitrary recipients. This allows him/her to extract all e-mails stored on the server. An attacker could also modify arbitrary messages stored on the server. 5) Cross Site Request Forgery (CVE-2018-7701) SEC Consult did not find any protection against cross site request forgery. An attacker could use this vulnerability to delete a victim's e-mail or to impersonate the victim and reply to his/her e-mails. Since these vulnerabilities were found during a very short time frame, SEC Consult believes that the product may contain a large number of other security vulnerabilities. As already several core security promises have been broken during this short crash test, no further tests were conducted. Proof of concept: ----------------- 1) Cross Site Scripting a) The following HTML fragments demonstrates reflected cross site scripting (CVE-2018-7703): --- snip ---
--- snip --- b) E-mails that are sent using the HTML format can contain any