DIVD-2021-00006 - SmarterMail
|Case lead||Lennaert Oudshoorn|
|Recommendation||Upgrade to SmarterMail Build 7957 (Oct 14, 2021)|
|Patch status||Full patched|
One of our researchers found multiple vulnerabilities in SmarterMail, which we were in the process of responsible disclosure (or Coordinated Vulnerability Disclosure) with SmarterTools Inc. Both vulnerabilities were discovered within the webmail fronted of SmarterMail.
We notified SmarterTools Inc. of the following vulnerabilities:
- CVE-2021-43977 - SmarterTools SmarterMail before 100.0.7803 (May 13, 2021) and 16.x allows XSS.
- CVE-2021-32233 - SmarterTools SmarterMail before 100.0.7803 (May 13, 2021) and 16.x allows XSS.
- CVE-2021-32234 - SmarterTools SmarterMail before 100.0.7803 (May 13, 2021) and 16.x allows Remote Code Execution.
What you can do
If you are running a version of SmarterMail before 100.0.7803 (May 13, 2021) or 16.x, upgrade to the latest version as soon as possible. To verify the installed version, go within the SmarterMail portal to /about/checkup (http(s)://yourwebmailurl.ext/about/checkup) and verify the version number. If the version number is 16.x or before 100.0.7803 (May 13, 2021) then you are vulnerable.
What we are doing
We are processing the list of vulnerable SmarterMail servers.
|30 Apr 2021||Vendor contacted and informed.|
|30 Apr 2021||Scanning internet-facing implementations.|
|30 Apr 2021||Start of the identification of possible victims (with internet-facing systems).|
|03 May 2021||Contacted vendor if email was received. Resend information to vendor.|
|10 May 2021||Vendor responds that they are working on it.|
|24 May 2021||Requested an update.|
|01 Jun 2021||Vendor issues patch(es).|
|16 Nov 2021||First version of this case file.|
- official release notes from SmarterMail