vulnerable to CVE-2021-32233, CVE-2021-32234 and CVE-2021-43977
Problem reported by webtomten - 12/2/2021 at 9:50 PM

I got this abuse report from my ISP, is it true that smartermail 16 is not safe at all? 

The report
Dear reader,

This message contains information about one or more systems within your AS that are likely to be running a vulnerable version of the mail server solution SmarterMail. This version is most likely vulnerable to CVE-2021-32233, CVE-2021-32234 and CVE-2021-43977. Allowing an attacker to gain control over this system.

On 30 April 2021, we opened case DIVD-2021-00006 to address multiple vulnerabilities known as CVE-2021-32233, CVE-2021-32234 and CVE-2021-43977 in SmarterMail, affecting SmarterMail 16.x All versions and SmarterMail before 100.0.7803 (May 13, 2021). 

This is our first round of notification based on information about servers running a vulnerable version of SmarterMail. The following server is on this list:

IP: x.x.x.x
Version: 16.3.6885

We advise you to upgrade your SmarterMail solution to the latest version as soon as possible.
For more information: ttps://csirt.divd.nl/cases/DIVD-2021-00006/ 

If you have any questions or need help in mitigating this vulnerability, do not hesitate to contact us: csirt@divd.nl.

Could you please send a confirmation and keep us informed when this issue is fixed?

The DIVD is a non-profit organization that strives to make the internet safer.
We have discovered and reported hundreds of thousands of data leaks and thousands of security issues worldwide.

Thank you for your time.
Kind regards,”

Any idea how to fix this without buying a new version?
Best regards,

18 Replies

Reply to Thread
Samuel Morgan Replied
I just received the same notification from my ISP. Can we have a response from SmarterTools please on this. Is there any sort of patch?
Bruce Replied
We have been receiving many of the same emails from csirt.divd.nl for a number of our customer's VPS's.

We are now going through notifying our customers but I already know many who took advantage of the free SmarterMail bundle will not want to pay for the upgrade protection.

Will SmarterTools be providing patches for older versions of SmarterMail?
webtomten Replied
I hope that they will fix this with a patches or else I need to start migrate to hmail or mailenable. Because I have a license from a smartermail bundle that I get for free when I bought my vps. 

And I use the vps and mail server for private use only. So I don’t want to pay $699 when I only use 10 domains and about 15 emails account for my family and relatives.

Is the problem the hole system or just the webmail interface? Any one know this?
Gabriele Maoret - SERSIS Replied
SamrterTools is currently working and patching SmarterMail.

To have the latest patch you need to install the latest supported release, Build 7957 in thsi moment.

If you stay on an older release you cannot have the latest patches.
Gabriele Maoret - SERSIS - Head of SysAdmins
Currently manages 3 SmarterMail installations (1 in cloud for SERSIS which provides service to a few hundreds 3rd party Mail Domains + 2 on premise to customers)
Bruce Replied
It is very hard to convince customers to pay $375 to get upgrade protection when they have less than 25 mailboxes and a couple of domains.

It is a shame that SmarterMail doesn't have some cheaper options for smaller numbers of mailboxes.
Samuel Morgan Replied
Hey Smarter"Tool", a security patch is not normally part of feature updates, you might feel motivated to provide security bug fixes for your products when it would seem someone is actively reporting to your customers the security holes in your product and a lot of people including myself can't afford the >$1000 to get the latest's version which has no new features we even want. Seems you want us to pay through the nose for BUG fixes...  Mailenable it is then I guess.
Stefano Replied
I really don't get your complain.
You want a patch for an old and outdated version of SmarterMail just because you don't want to spend more money?
It's like if you've got a computer with Windows XP, you can't complain that is not updated and you don't want to spend money for a new one / new license of Windows.
Samuel Morgan Replied
@Stefano,  I have never ever paid for a security bug fix for Windows. Windows XP was released in October 25, 2001 and support (for consumers) officially ended April 8, 2014 (13 years of free support, no yearly support fees), with SM I would have to pay over 1000 USD to upgrade to the latest version, I am on version 16.1.x which was released in 2017 just 4 years ago. If the new or improved features were there then I might consider it but they are not. I would rather use my time and money to migrate customers to competing system with much better pricing and limits than pay such a huge amount for a security bug fix which should really be provided for free to corporate customers. I hope ST change their position on this as I can see it causing a lot of bad press and loss of trust from their customers.

echoDreamz Replied
You are trying to compare Microsoft (a trillion-dollar company with endless developers and resources), an Operating System that was installed on a millions and millions and millions and millions of devices (not even just laptops/desktops), to a mail server that is developed by a small Company in Arizona and you want them to provide updates for a piece of software that is now 4 years old? Where do they stop? Why stop at 16x, why not support 15x? Why not support 14x? Why not support 13x?

Microsoft does also charge an arm and a leg for numerous products and support on them, ever tried to license SQL Server Ent Edition on a 28-core system or open a support ticket for a bug? SmarterMail is extremely well-priced, and spending $1500 a year to keep updates and support going isnt that big a deal, especially compared to other products we license.

You are not comparing apples to apples here; you are comparing an 18-wheeler to a banana. As a software development Company ourselves, we support the current version of our application (if it's a new major release, we provide 1 additional year of support on the old major version and then it is EOL).
echoDreamz Replied
@webtomten You are mad at the renewal pricing of a product you selected to install and run? That's just silly... If you are concerned about renewal costs, there are open-source projects out there, hmailserver, hell you could even do cpanel with z-push for ActiveSync, numerous webmail options, numerous other projects out there too. You cannot get mad at the product when their maintenance and support policies are outlined right up front.

They even have a KB article that tells you exacting how this all works - Maintenance and Support - Renewal / Reinstatement - SmarterTools 

They also state that they only offer hotfixes for the current version - SmarterTools Support Policy - SmarterTools 
Samuel Morgan Replied
@echoDreamz I have been running SmarterMail for almost 15 years, I purchased a lifetime, unlimited, enterprise licence when it was actually affordable before they switched to a perpetual annual support cost (part of which I paid for by providing the Italian translations for SM), and before the prices skyrocketed, it was a kick in the teeth then and it still is. Also, I wasn't the one who originally compared ST to M$ it was Stefano, I was just pointing the flaws in that argument he made.
echoDreamz Replied
Same here. Been running SmarterMail since v2. And prices of stuff has changed… a lot. Not just SmarterMail. It’s part of the world we are in. 
Bruce Replied
I do not think SmarterMail pricing is unreasonable, but would be good to have another 'micro' tear for those with less than 20 and 50 mailboxes with more than one domain.

What we are finding is that customers will smaller numbers of mailboxes are opting for MialEnable which I think is inferior, but their free version while lacking many features such as anti-spam is not limited for the number of mailboxes or domains.
webtomten Replied
@echoDreamz misunderstand me right, I would gladly pay for smartermail if there was ha smaller license with around 20-50 mailboxes. I don’t use and have no attention to use 250 mailboxes but I love this product. But I can’t motivate the prices for my own use. 

But now I have get answer from the hacker group and it is only the webmail that is vulnerable so I will go on with smartermail and turn off the webmail interface. 
Bruce Replied
I have a customer running SmarterMail Professional Build 7761 (Apr 1, 2021) and refuses to pay the $750 to renew their license.

Is there anything, other than renewing their license, that can be done for them to mitigate these vulnerabilities? 
Dirk Replied
I am talking theoretical, but pretty sure it will work, in fact I am planning on doing this early in the new year. 

If the vulnerabilities are only regarding the web interface, consider splitting your DNS, one DNS entry for the www portion, and separate one for the other protocols. 

For example 
mail.domain.com (serves POP, SMTP, IMAP etc)
webmail.domain.com (only serves the web interface from either IIS or the built in web server).

Change your DNS to Cloudflare, and then add Cloudflare protection for the www portion only. 
Bruce Replied
Thank you for your comment.

This may work for the XSS exploits, but one of is a remote code execution vulnerability and without knowing the details of the exploit it is unlikely that the type of generic protection that Cloudflare offers would protect SmarterMail.
Tim Uzzanti Replied
Employee Post
We are constantly working on vulnerabilities or potential exploits.  There is a reason all software is turning into a service because its not fire and forget anymore. Not only do we monitor and improve our software in regards to security but we have dozens of third party integrations that require that same level of effort.  Unfortunately some of these third-parties aren't as proactive as we are and we have employees that primarily manage those relationships and their efforts so you / customers are protected.  We also must stay aware of Operating System, .NET Framework and Client vulnerabilities that can impact SmarterMail or your servers.

We also try to notify customers proactively on things that could affect them like the Log4j vulnerability and then provide assurance on whether were good or we have work to do.  Hope you got that email, but we have no exposure in our software or our infrastructure but we know many of our customers do and why sent that notice out.

Bottom line, if you don't update software regularly and maintain firmware across appliances its only a matter of time before you will have a game over situation and mail servers are one of the most attacked servers on the Internet.  Whatever mail server you are running, please make the effort to keep it updated across the board (Operating Systems, Virus, Backups and Mail Server Software).
Tim Uzzanti
SmarterTools Inc.
(877) 357-6278

Reply to Thread