Executive Summary

This vulnerability exists in MailEnable versions prior to 10.54, where user and administrative passwords are stored in plaintext within the AUTH.SAV file with overly permissive filesystem access. A local authenticated user with read access to this file can recover all user and admin passwords, leading to credential compromise and potential account takeover.

Useful 0 Not Useful 0

Impact Analysis

An attacker who has local authenticated access and can read the AUTH.SAV file can obtain all user and administrative passwords. This allows them to authenticate to MailEnable services such as POP3, SMTP, or the webmail interface, resulting in unauthorized mailbox access and administrative control, which can lead to data breaches and service disruption.

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by checking for the presence of the AUTH.SAV file on the MailEnable server and verifying its permissions. Specifically, look for the file storing credentials in plaintext and check if local authenticated users have read access to it. Commands such as 'ls -l' on the directory containing AUTH.SAV can reveal file permissions. Additionally, inspecting the contents of AUTH.SAV (e.g., using 'cat AUTH.SAV') can confirm if passwords are stored in cleartext.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting filesystem permissions on the AUTH.SAV file to prevent unauthorized read access by local users. Ensure that only necessary administrative accounts have access to this file. Additionally, upgrade MailEnable to version 10.54 or later where this vulnerability is addressed. Regularly audit file permissions and monitor access to sensitive files to prevent credential compromise.

Useful 0 Not Useful 0