Information disclosure in MDaemon

#VU12775 Information disclosure in MDaemon

Published: 2018-05-17

Vulnerability identifier: #VU12775

Vulnerability risk: Low

CVSSv3.1: 2.6 [CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-310

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
MDaemon
Server applications / Mail servers

Vendor: Alt-N

Description

The vulnerability allows a remote attacker to decrypt sensitive information.

The vulnerability exists due to error in OpenPGP and S/MIME specifications when implementing end-to-end encryption of email communication. A remote attacker can decrypt encrypted data and gain access to sensitive information.

Mitigation
Update to version 18.0.1 or apply security patch.

Vulnerable software versions

MDaemon: 18.0.0, 17.5.0 - 17.5.3, 17.0.0 - 17.0.3

External links
http://www.altn.com/Support/SecurityUpdate/MD051518_MDaemon_EN/
http://efail.de/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Weak PGP and S/MIME implementation in MDaemon