SecurEnvoy SecurMail, you say? Only after this patch is applied, though
Flaws meant others could read, meddle with encrypted emails
Recently resolved vulnerabilities in SecurEnvoy's encrypted email transfer SecurMail created a way for encrypted emails in users' inboxes to be read, overwritten and deleted by others.
The flaws – uncovered by Austrian security firm SEC Consult during a crash test – included cross-site scripting, cross-site request forgery, and missing authentication flaws. In order to send encrypted emails, a client did not need to authenticate on the SecurEnvoy server, according to SEC Consult. This opened the door for hackers to either extract all emails stored on the server or to modify messages.
Separate insecure direct object reference and path traversal vulnerabilities both created means for a "legitimate recipient to read mails sent to other users in plain text".
"As we have identified several critical vulnerabilities within a very short time frame we expect numerous other vulnerabilities to be present," SEC Consult's Johannes Greil told The Register. "As other SecurEnvoy products (besides the analysed SecurMail) appear to be highly integrated (all products are installed with a single setup file) we suspect other components to also suffer from severe security deficits."
In response to queries from El Reg, SecurEnvoy confirmed that it had patched SecurMail, adding that "this issue does not affect any other SecurEnvoy products".
SEC Consult first notified SecurEnvoy about problems in SecurMail version 9.1.501 in late November. SecurEnvoy released a patch at the start of the month, clearing the way for SEC Consult to go public with an advisory.
SecurMail users are urged to upgrade as soon as possible by either applying the security patch 1_012018 or updating to version 9.2.501 of the software. ®