Email sales@smartertools.com I am sure they will get you to where you need to go to report the issue.

Thanks for the advise. I still wait for the official response today as I do not want to share this sensitive issues with the wrong audience. If get nothing by 4pm GMT, I will have no choice other than using the sales email. 

It would be great if a page or a knowledge base entry could be created to advise people how to report security issues.

Dude, every company has a support email address to fill out. Are you saying creating an account, writing in a public forum is easier than emailing? No response okay but it seems like yours words are more of a threat than trying to be helpful. Just saying.

Sorry you have miss-understood me. As I have said before, by 4pm I am going to send the info to their Sales email if there is no response. How is this a threat if that's how they work? I do not normally send the issue details to the sales department in the first place to decrease the exposure and to speed up the process (it is backfiring here atm though). 

I am just trying to responsibly disclose some issues to the relevant technical team, and I don't think a company should make this difficult to encourage security researchers to report responsibly. I have sent them a DM in their Twitter account but I haven't received any response yet. 

From what I have gathered so far, there is no support email unless I have missed it. There is a form you should use and that is only available to people with a valid license. I don't think it is fair to buy a license just for this purpose as I am basically contributing for free.

I agree on the form but stating "You must complete this task by X time" or I will expose you is a threat (in my mind). This is a community of people that believe in the product. Every product (I mean every product) has flaws. Contacting sales is not a bad thing. It's listed everywhere on the site. The management team actively watch these threads as well and you can even PM (private message) them. When I read what you wrote all I thought was all the bad in the world trying to come out and threaten. You could've even emailed sales (or any of their emails) and state "I believe I have found a security hole and would like to privately discuss it.". That would've been better.

Beyond that I do believe a security@smartertools.com would be a great addition (if it doesn't already exist).

Any perceived security issues can be sent to security@smartertools.com as well -- no need for an account to do that. (And I say "perceived" not to be arrogant or to discredit anyone, it's just that what some see as security issues may not necessarily BE security issues.)

Thanks for providing me with the email. I will be in touch shortly.

Just in case someone was interested to know about the patched security issues: https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/ 

Thank you @Soroush for reporting this to us. Glad we were able to work with each other on getting this patched up. Now that these are "out there" it is very important for anyone running on an old version still to upgrade to one of the latest minors.

So just to be real clear, Versions 15 (15.7.6970) and 16(15.7.6970) are not going to be patched?  One must upgrade to version 17/100?

I have customers running a range of SmarterMail versions from 11 through to 17.

Could you provide a list of which versions are patched and which will not be patched? 

Yes, would be good to know which prior versions have these vulnerabilities. Or is it just v17?

These are quite big security vulnerabilities as they allow system level access to the server on which SmarterMail is installed to allow a hacker to compromise the server.

Now that details on these vulnerabilities are now public could SmarterTools please urgently provide lists of those versions which are vulnerable, which versions are not, and when patches will be released for any older versions that are vulnerable.

Would also be interested to know if 15 and 16's last minor updates covered this.

v16 should be tested, it would be negligent of smartertools not to check, in general Tim the contents of your post are far from professional, as a CEO I would expect better from you.

We have valid maintenance and support but we can't upgrade to v100 due to no one bothering to track down the activation issue with the installer that I raised in 2018, ST support response was to provide a manual activation key which is not a solution. I asked for more logging in the installer but that still has not happened.

Chris, 

I would suggest opening a ticket to discuss the issue with the installer, I don’t see an active ticket. Updates can only be made to current SmarterTools products.

Tim

If you are not going to be testing your own software I can tell you who will, every hacker who sees the notification and is now actively looking for SmarterMail servers to hack.

 

This is a major security vulnerability in your software that could allow servers running your software to be hacked at administrator level and your response to customers who have paid for SmarterTools license is to pay to upgrade to the latest version to have security vulnerabilities fixed!

We have recently upgraded all our own servers to SmarterMail 17, but we have over 100 customers with their own servers running various versions of SmarterMail from 11.x through to 17.x.

This puts us in a difficult position as their servers could be vulnerable and we have a legal duty to disclose this.

However, you are not giving us any information on which versions are vulnerable, except that version 16 probably is, so we have to tell all customers that their servers might or might not be vulnerable, but either way, they now need to pay for a new license for SmarterMail. This looks like you are trying to cash in on this.

As the CEO can you please re-look at this as I am sure I and many others will need to stop using your software for our own customers while you treat security vulnerabilities so lightly and try to use them as a cash cow to rake in more money.

Just for clarification as the external tester, I had only looked at the latest version of this product. This was not a thorough test (I was only looking for deserialization issues and I found other issues on the way), and similar to any other products, more issues might exist elsewhere. SmarterTools was very quick in addressing the issues, and they are also going to improve how their application uses .NET remoting in the future to mitigate risks of local privilege escalation attacks. 

I just had a quick look at free version of 14.7 to see what features are available without performing any tests. It seems CVE-2019-7214 (exploit via port 17001) and CVE-2019-7211 (XSS) might be applicable. This might suggest that these two issues exist at least since version 14.7 (I did not look at the previous versions as they were too old). Restrict remote access to port 17001 only to trusted IP addresses to mitigate risk of attacks (it should be blocked by the default settings of a Windows Firewall). As mentioned in our original recommendation: "due to the simplicity of finding and exploiting the Deserialization of Untrusted Data issue (CVE-2019-7214), it is recommended to review the server logs and activities to ensure it has not been compromised by attackers in the past".

I could not find "folder move" and download using an encrypted string functionalities in version 14.7. That said, this was just a quick look and other directory traversal or encryption issues might still exist. 

Unfortunately, I do not have the capacity to look at other features or versions as this is a very time consuming process especially without having access to the source code and its history.

We have already blocked TCP port 17001 at our network gateway after reading your report to protect customers servers running SmarterMail.

Thanks for the additional information, it is good to have confirmation that blocking this port should mitigate one of the vulnerabilities to some extent. 

Regarding the Deserialization of Untrusted Data exploit, can someone comment on this: "...it is recommended to review the server logs and activities to ensure it has not been compromised by attackers in the past."  What exactly should we be looking for?

This is to detect any incident of an attacker exploiting the application using this port (just a possibility). You need to look into the network logs to identify any unknown connections to this port in the past, and then look for any suspicious activities in the network or on the file system around the time of connecting to this port and after.

As the application runs under SYSTEM, attackers can hide their tracks on the server but this chance goes away if the logs are being kept separately in a secure server. The SmarterMail application also generates some logs that might come in handy to detect any manipulation or suspicious activities (if logs have been deleted or erased for example).

Thanks, Soroush.  Very helpful.  It would be nice if SmarterTools sent security bulletins to their customers to help with these sorts of issues.