-
IronPort PXE Encryption is an e-mail encryption solution that is designed to secure e-mail communications without the need for a Public Key Infrastructure (PKI) or special agents on receiving systems. When an e-mail message is targeted for encryption, the PXE encryption engine on an IronPort e-mail gateway encrypts the original e-mail message as an HTML file and attaches it to a notification e-mail message that is sent to the recipient. The per-message key used to decrypt the HTML file attachment is stored on a local IronPort Encryption Appliance, PostX software installation or the Cisco Registered Envelope Service, which is a Cisco-managed software service.
PXE Encryption Privacy Vulnerabilities
The IronPort PXE Encryption solution is affected by two vulnerabilities that could allow unauthorized individuals to view the contents of secure e-mail messages. To exploit the vulnerabilities, attackers must first intercept secure e-mail messages on the network or via a compromised e-mail account.
IronPort Encryption Appliance Administration Interface Vulnerabilities
IronPort Encryption Appliance devices contain two vulnerabilities that could allow unauthorized users to gain access to the IronPort Encryption Appliance administration interface and modify other users' settings. These vulnerabilities do not affect Cisco Registered Envelope Service users.
Cisco has released software updates that address these vulnerabilities. There are no workarounds for the vulnerabilities that are described in this advisory.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090114-ironport.
-
Vulnerable Products
The following IronPort Encryption Appliance/PostX versions are affected by these vulnerabilities:
-
All PostX 6.2.1 versions prior to 6.2.1.1
-
All PostX 6.2.2 versions prior to 6.2.2.3
-
All IronPort Encryption Appliance/PostX 6.2.4 versions prior to
6.2.4.1.1
-
All IronPort Encryption Appliance/PostX 6.2.5 versions
-
All IronPort Encryption Appliance/PostX 6.2.6 versions
-
All IronPort Encryption Appliance/PostX 6.2.7 versions prior to
6.2.7.7
-
All IronPort Encryption Appliance 6.3 versions prior to
6.3.0.4
-
All IronPort Encryption Appliance 6.5 versions prior to
6.5.0.2
The version of software that is running on an IronPort Encryption Appliance is located on the About page of the IronPort Encryption Appliance administration interface.
Note: Customers should contact IronPort support to determine which software fixes are applicable for their environment. Please consult the Obtaining Fixed Software section of this advisory for more information.
Products Confirmed Not Vulnerable
IronPort C, M and S-Series appliances are not affected by these vulnerabilities. Although C-Series appliances can be configured to use a local IronPort Encryption Appliance for per-message key retention, the C-Series appliances are not vulnerable. The Cisco Registered Envelope Service is not vulnerable.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
All PostX 6.2.1 versions prior to 6.2.1.1
-
Note: IronPort tracks bugs using an internal system that is not available to customers. The IronPort bug tracking identifiers are provided for reference only.
PXE Encryption Privacy Vulnerabilities
Individual PXE Encryption users are vulnerable to two message privacy vulnerabilities that could allow an attacker to gain access to sensitive information. All the vulnerabilities require an attacker to first intercept a secure e-mail message as a condition for successful exploitation. Attackers can obtain secure e-mail messages by monitoring a network or a compromised user e-mail account.
The IronPort Encryption Appliance contains a logic error that could allow an attacker to obtain the unique, per-message decryption key that is used to protect the content of an intercepted secure e-mail message without user interaction. Using the decryption key, an attacker could decrypt the contents of the secure e-mail message. This vulnerability is documented in IronPort bug 8062 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0053.
By modifying the contents of intercepted secure e-mail messages or by forging a close copy of the e-mail message, it may be possible for an attacker to convince a user to view a modified secure e-mail message and then cause the exposure of the user's credentials and message content. Please see the Workarounds section for more information on mitigations available to reduce exposure to these phishing-style attacks. This vulnerability is documented in IronPort bug 8149 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0054.
IronPort Encryption Appliance Administration Interface Vulnerabilities
The administration interface of IronPort Encryption Appliance devices contains a cross-site request forgery (CSRF) vulnerability that could allow an attacker to modify a user's IronPort Encryption Appliance preferences, including their user name and personal security pass phrase, if the user is logged into the IronPort Encryption Appliance administration interface. Exploitation of the vulnerability will not allow an attacker to change a user's password. This vulnerability is documented in IronPort bug 5806 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0055.
The administration interface of IronPort Encryption Appliance devices also contains a cross-site request forgery (CSRF) vulnerability that could allow an attacker to execute a command and modify a user's IronPort Encryption Appliance preferences, including their user name and personal security pass phrase, under certain circumstances when a user logs out of the IronPort Encryption Appliance administration interface. Exploitation of the vulnerability will not allow an attacker to change a user's password. This vulnerability is documented in IronPort bug 6403 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0056.
-
There are no workarounds for the vulnerabilities that are described in this advisory.
There are mitigations available to help prevent exploitation of the PXE Encryption phishing-style vulnerability. Phishing attacks can be greatly reduced if DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) are implemented on IronPort e-mail gateways to help ensure message integrity and source origin. Additionally, the PXE Encryption solution contains an anti-phishing Secure Pass Phrase feature to ensure that secure notification e-mail messages are valid. This feature is enabled by recipients when configuring their PXE user profile. Cisco has released a best practices document that describes several techniques to mitigate against the phishing-style attacks that is available at the following link:
http://www.cisco.com/web/about/security/intelligence/bpiron.html
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
J.B. Snyder of Brintech reported a method for obtaining PXE Encryption user credentials via a phishing-style attack to Cisco.
All other vulnerabilities were discovered by Cisco or reported by customers.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2009-January-14
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.