Reporting security issues?
Question asked by Soroush Dalili - January 26 at 7:08 AM
Answered
Hi,
I have identified a number of important security issues in your product. Could you please tell me how I can report them securely without them being publicly accessible to everyone before the patch?

It seems I cannot create a support ticket without actually owning a license. There is also no form to submit the security issues.

Thanks
Soroush

24 Replies

Reply to Thread
0
echoDreamz Replied
Email sales@smartertools.com I am sure they will get you to where you need to go to report the issue.

Christopher

0
Soroush Dalili Replied
Thanks for the advise. I still wait for the official response today as I do not want to share this sensitive issues with the wrong audience. If get nothing by 4pm GMT, I will have no choice other than using the sales email. 

It would be great if a page or a knowledge base entry could be created to advise people how to report security issues.
0
John Marx Replied
Dude, every company has a support email address to fill out. Are you saying creating an account, writing in a public forum is easier than emailing? No response okay but it seems like yours words are more of a threat than trying to be helpful. Just saying.
0
Soroush Dalili Replied
Sorry you have miss-understood me. As I have said before, by 4pm I am going to send the info to their Sales email if there is no response. How is this a threat if that's how they work? I do not normally send the issue details to the sales department in the first place to decrease the exposure and to speed up the process (it is backfiring here atm though). 

I am just trying to responsibly disclose some issues to the relevant technical team, and I don't think a company should make this difficult to encourage security researchers to report responsibly. I have sent them a DM in their Twitter account but I haven't received any response yet. 

From what I have gathered so far, there is no support email unless I have missed it. There is a form you should use and that is only available to people with a valid license. I don't think it is fair to buy a license just for this purpose as I am basically contributing for free.

0
John Marx Replied
I agree on the form but stating "You must complete this task by X time" or I will expose you is a threat (in my mind). This is a community of people that believe in the product. Every product (I mean every product) has flaws. Contacting sales is not a bad thing. It's listed everywhere on the site. The management team actively watch these threads as well and you can even PM (private message) them. When I read what you wrote all I thought was all the bad in the world trying to come out and threaten. You could've even emailed sales (or any of their emails) and state "I believe I have found a security hole and would like to privately discuss it.". That would've been better.

Beyond that I do believe a security@smartertools.com would be a great addition (if it doesn't already exist).

1
Derek Curtis Replied
Employee Post
Any perceived security issues can be sent to security@smartertools.com as well -- no need for an account to do that. (And I say "perceived" not to be arrogant or to discredit anyone, it's just that what some see as security issues may not necessarily BE security issues.)
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
0
Soroush Dalili Replied
Thanks for providing me with the email. I will be in touch shortly.
0
Soroush Dalili Replied
Just in case someone was interested to know about the patched security issues: https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/ 
1
Matt Petty Replied
Employee Post
Thank you @Soroush for reporting this to us. Glad we were able to work with each other on getting this patched up. Now that these are "out there" it is very important for anyone running on an old version still to upgrade to one of the latest minors.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Fred Needham Replied
So just to be real clear, Versions 15 (15.7.6970) and 16(15.7.6970) are not going to be patched?  One must upgrade to version 17/100?
3
Bruce Replied
I have customers running a range of SmarterMail versions from 11 through to 17.

Could you provide a list of which versions are patched and which will not be patched? 
2
kevind Replied
Yes, would be good to know which prior versions have these vulnerabilities. Or is it just v17?
3
Bruce Replied
These are quite big security vulnerabilities as they allow system level access to the server on which SmarterMail is installed to allow a hacker to compromise the server.

Now that details on these vulnerabilities are now public could SmarterTools please urgently provide lists of those versions which are vulnerable, which versions are not, and when patches will be released for any older versions that are vulnerable.
0
Ryan Wittenauer Replied
Would also be interested to know if 15 and 16's last minor updates covered this.
2
Tim Uzzanti Replied
Employee Post Marked As Answer
SmarterMail 15.x is a different beast and would not be affected and by the same security concerns. SmarterMail 16.x is somewhat similar to the current build and could be impacted by anything that is discovered in our current versions. But we did make many file system changes in the recent version, so it's also possible that the issues are not in 16.x. Regardless, the tests were only performed against the most current build available at the time, not previous versions.

We do not have methods to build previous versions of SmarterMail. All our continual build processes, unit testing and automated QC testing are all on a new platform which was part of our big transition last year for Maintenance and Support to release versions much more quicker and streamlined than ever before. If you want the latest and greatest security fixes, bug fixes, changes, and features you must be on the latest version of our products.
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Chris Daley Replied
v16 should be tested, it would be negligent of smartertools not to check, in general Tim the contents of your post are far from professional, as a CEO I would expect better from you.

We have valid maintenance and support but we can't upgrade to v100 due to no one bothering to track down the activation issue with the installer that I raised in 2018, ST support response was to provide a manual activation key which is not a solution. I asked for more logging in the installer but that still has not happened.
1
Tim Uzzanti Replied
Employee Post
Chris, 

I would suggest opening a ticket to discuss the issue with the installer, I don’t see an active ticket. Updates can only be made to current SmarterTools products.

Tim
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Bruce Replied
If you are not going to be testing your own software I can tell you who will, every hacker who sees the notification and is now actively looking for SmarterMail servers to hack.
 
0
Bruce Replied
This is a major security vulnerability in your software that could allow servers running your software to be hacked at administrator level and your response to customers who have paid for SmarterTools license is to pay to upgrade to the latest version to have security vulnerabilities fixed!

We have recently upgraded all our own servers to SmarterMail 17, but we have over 100 customers with their own servers running various versions of SmarterMail from 11.x through to 17.x.

This puts us in a difficult position as their servers could be vulnerable and we have a legal duty to disclose this.

However, you are not giving us any information on which versions are vulnerable, except that version 16 probably is, so we have to tell all customers that their servers might or might not be vulnerable, but either way, they now need to pay for a new license for SmarterMail. This looks like you are trying to cash in on this.

As the CEO can you please re-look at this as I am sure I and many others will need to stop using your software for our own customers while you treat security vulnerabilities so lightly and try to use them as a cash cow to rake in more money.

0
Soroush Dalili Replied
Just for clarification as the external tester, I had only looked at the latest version of this product. This was not a thorough test (I was only looking for deserialization issues and I found other issues on the way), and similar to any other products, more issues might exist elsewhere. SmarterTools was very quick in addressing the issues, and they are also going to improve how their application uses .NET remoting in the future to mitigate risks of local privilege escalation attacks. 

I just had a quick look at free version of 14.7 to see what features are available without performing any tests. It seems CVE-2019-7214 (exploit via port 17001) and CVE-2019-7211 (XSS) might be applicable. This might suggest that these two issues exist at least since version 14.7 (I did not look at the previous versions as they were too old). Restrict remote access to port 17001 only to trusted IP addresses to mitigate risk of attacks (it should be blocked by the default settings of a Windows Firewall). As mentioned in our original recommendation: "due to the simplicity of finding and exploiting the Deserialization of Untrusted Data issue (CVE-2019-7214), it is recommended to review the server logs and activities to ensure it has not been compromised by attackers in the past".

I could not find "folder move" and download using an encrypted string functionalities in version 14.7. That said, this was just a quick look and other directory traversal or encryption issues might still exist. 

Unfortunately, I do not have the capacity to look at other features or versions as this is a very time consuming process especially without having access to the source code and its history.
1
Bruce Replied
We have already blocked TCP port 17001 at our network gateway after reading your report to protect customers servers running SmarterMail.

Thanks for the additional information, it is good to have confirmation that blocking this port should mitigate one of the vulnerabilities to some extent. 
0
SmarterUser Replied
Regarding the Deserialization of Untrusted Data exploit, can someone comment on this: "...it is recommended to review the server logs and activities to ensure it has not been compromised by attackers in the past."  What exactly should we be looking for?
0
Soroush Dalili Replied
This is to detect any incident of an attacker exploiting the application using this port (just a possibility). You need to look into the network logs to identify any unknown connections to this port in the past, and then look for any suspicious activities in the network or on the file system around the time of connecting to this port and after.

As the application runs under SYSTEM, attackers can hide their tracks on the server but this chance goes away if the logs are being kept separately in a secure server. The SmarterMail application also generates some logs that might come in handy to detect any manipulation or suspicious activities (if logs have been deleted or erased for example).
1
SmarterUser Replied
Thanks, Soroush.  Very helpful.  It would be nice if SmarterTools sent security bulletins to their customers to help with these sorts of issues.

Reply to Thread