Advisory Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of PineApp Mail-SeCure. Authentication is not required to exploit this vulnerability.

The specific flaw exists with input sanitization in the ldapsyncnow.php component. This flaw allows for the injection of arbitrary commands to the Mail-SeCure server. An attacker could leverage this vulnerability to execute arbitrary code as root.

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI vulnerability disclosure policy on lack of vendor response.

Vendor Contact Timeline:
May 16, 2013:
- First email sent to PineApp
May 22, 2013:
- Second email sent to PineApp
May 24, 2013:
- Phone call placed to PineApp
June 11, 2013:
- Phone call placed to PineApp
June 21, 2013:
- Third email sent to PineApp
July 26, 2013:
- Vulnerability advisory published

-- Mitigation:
Given the requirements for users to have access to their email, and given the nature of the vulnerabilities discovered in the PineApp Mail-SeCure software, the only salient mitigation strategy is to restrict access to port 7443 of the PineApp device or VM to those machines which have a legitimate need to access the PineApp software directly. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. For systems running Microsoft Windows, these features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.

• 2013-05-16 - Vulnerability reported to vendor
• 2013-07-26 - Coordinated public release of advisory