Technical Advisory: Multiple Vulnerabilities in MailEnable
Vendor URL: https://www.mailenable.com/
Versions affected: versions before 10.24, 9.83, 8.64, 7.62, 6.90 (20th June 2019)
Systems Affected: tested on Enterprise Premium but all versions have been patched
Author: Soroush Dalili (@irsdl)
Advisory URL / CVE Identifier:
CVE-2019-12923, CVE-2019-12924, CVE-2019-12925, CVE-2019-12926, CVE-2019-12927
Risk: Critical, High, Medium
The MailEnable application is a popular mail server with rich features for normal and administrative users. This application mainly uses the.NET Framework.
The following vulnerabilities were discovered in the MailEnable application:
- Critical – CVE-2019-12924: XML External Entity (XXE), patched by 10.24
- High – CVE-2019-12925: Directory Traversal, patched by 10.24 and 10.25
- High, Medium – CVE-2019-12927: Stored and Reflected Cross-Site Scripting (XSS), patched by 10.24 and 10.25
- Medium – CVE-2019-12926: Incorrect Access Controls, patched by 10.24
- Medium – CVE-2019-12923: Cross-Site Request Forgery (CSRF), patched by 10.24
Impacts and Brief Details
Using an identified XXE vulnerability, unauthenticated users could read arbitrary text-based files from the server. As MailEnable’s credentials were stored in a plaintext file without any encryption, it was possible to steal all users’ credentials including the highest privileged users (SYSADMIN accounts).
Directory Traversal (CVE-2019-12925)
Multiple pages were vulnerable to directory traversal attacks. Authenticated users could add, remove, or potentially read files in/from arbitrary folders where the IIS user had permission to access. This could lead to reading other users’ credentials including the SYSADMIN accounts, reading other users emails, or adding emails or files to other users’ accounts.
Stored and Reflected XSS (CVE-2019-12927)
Various pages were vulnerable to stored and reflected XSS attacks. Apart from generic implications of XSS attacks to run tasks on behalf of victims, the session token could also be stolen due to the lack of the HttpOnly flag or it being included in some page responses.
One of the stored XSS issues was identified within the mail contents that could be exploited by unauthenticated attackers. The XSS payload was executed as soon as a user opened the malicious email. This could then be used to target all users of the application by sending further emails to everyone or by exploiting another stored XSS issues that existed in the chat messages.
Incorrect Access Controls (CVE-2019-12926)
The MailEnable solution did not use appropriate access control checks in a number of areas. As a result, it was possible to perform a number of actions when logged in as a user which that user should not have had the permission to perform. It was also possible to gain access to areas within the application for which the accounts used were supposed to have insufficient access.
Various processes were vulnerable to CSRF attacks with which for instance victims could send emails on behalf of attackers or could assign full email access to an unauthorised user.
Install the latest application patch (at least 10.25). The 10.24 patch that was released on 28/05/2019 should be sufficient to stop most of the reported vulnerabilities including all critical and high risk issues. However, it is highly recommended to use at least the 10.25 version in order to mitigate the risk of a few unpatched issues.
As we were informed by MailEnable, the future releases will include more security improvements and better security coding practices in order to address a few minor security issues as well as similar security issues in other places that might not have been included in the report.
04/05/2019: initial contact to report the identified issues
05/05/2019: response received from MailEnable
06/05/2019: all issues were reported to Peter Fregon of MailEnable
08/05/2019: MailEnable started to address the issues
28/05/2019: an update was released
20/06/2019: a few unfixed issues were reported after a quick retest
20/06/2019: a new patch was released by MailEnable
02/07/2019: Public disclosure
Peter Fregon of MailEnable for triaging the issues and keeping us updated with the progress
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.