CERT-In Vulnerability Note CIVN-2009-15
IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities

Original Issue Date:January 29, 2009

Severity Rating: High

Systems Affected

• PostX 6.2.1 versions prior to 6.2.1.1
• PostX 6.2.2 versions prior to 6.2.2.3
• IronPort Encryption Appliance/PostX 6.2.4 versions prior to 6.2.4.1.1
• IronPort Encryption Appliance/PostX 6.2.5 versions
• IronPort Encryption Appliance/PostX 6.2.6 versions
• IronPort Encryption Appliance/PostX 6.2.7 versions prior to 6.2.7.7
• IronPort Encryption Appliance 6.3 versions prior to 6.3.0.4
• IronPort Encryption Appliance 6.5 versions prior to 6.5.0.2
  

Overview

IronPort is a solution to secure e-mail communication. When it is used for e-mail encryption, the device is found susceptible to multiple vulnerabilities. Exploiting the vulnerabilities, an unauthorized user may intercept the e-mail, may gain privilege access of Admin interface, may modify e-mail to do phishing.

1. Insecure Decryption Key Information Disclosure     Vulnerability (CVE-2009-0053)

The vulnerability exists due to an error in the IronPort PXE Encryption solution.  An attacker with the ability to intercept e-mail messages or access a user's e-mail could obtain the unique, per-message decryption key and then decrypt an intercepted secure e-mail message.

Workarounds

• Apply the appropriate updates.
• Prevent unauthorized users from intercepting messages.
• Physically secure the networks that are used to transmit messages via the affected device.

2. IronPort PXE Encryption Phishing Vulnerability
    (CVE-2009-0054)

Workarounds

• Implement DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) on the IronPort Secure Email Gateway.
• Enable the anti-phishing Secure Pass Phrase feature in the IronPort PXE Secure Envelope to ensure that the IronPort PXE notification envelope is valid.

3. Insecure Decryption Key Information Disclosure     Vulnerability (CVE-2009-0055)

The vulnerability is due to an input sanitization error by the administration interface.  An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to follow a malicious link or visit a malicious website while the user is logged in to the administration interface.  The attacker can modify the target user's preferences including the username and personal security pass phrase but not the password.

Workarounds

• It is advised to log out of the administrative web interface before navigating to other websites.
• Users are advised not to follow links from untrusted sources. Users are advised to verify unexpected links from trusted sources before following them.

4. Cross-Site Request Forgery Vulnerability (CVE-2009-0056)

Workarounds

• It is advised to log out of the administrative web interface before navigating to other websites.
• Monitor critical systems for signs of exploitation.
• Users are advised not to follow links from untrusted sources. Users are advised to verify unexpected links from trusted sources before following them.
  

Solution

Apply appropriate fixed versions as mentioned in CISCO Security Advisory.
http://www.cisco.com/en/US/products/products_security_advisory
09186a0080a5c4f7.shtml

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml

References

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml
http://tools.cisco.com/security/center/viewAlert.x?alertId=17375
http://tools.cisco.com/security/center/viewAlert.x?alertId=17376
http://tools.cisco.com/security/center/viewAlert.x?alertId=17377
http://tools.cisco.com/security/center/viewAlert.x?alertId=17378

SecurityTracker
http://securitytracker.com/alerts/2009/Jan/1021593.html http://securitytracker.com/alerts/2009/Jan/1021594.html

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003