PCI Compliance / IMAP Vulnerability

Discussions on webmail and the Professional version.
Post Reply
risedev
Posts: 8
Joined: Fri Mar 07, 2008 3:42 pm

PCI Compliance / IMAP Vulnerability

Post by risedev » Fri Dec 12, 2008 4:13 pm

I have an e-commerce site on my server for which the merchant account provider has said that the server must be "PCI Compliant". PCI = Payment Card Industry and is a new directive coming down from the big Credit Card companies like Visa & Mastercard.

So, in order to "prove" that I am PCI Compliant, I have to hire a third party company (SecurityMetrics.com) to do quarterly scans against my server to detect vulnerabilities. What a pain that was! I have cleared up ALL vulnerabilities but the one being reported on the IMAP component of MailEnable.

Here is the result as reported by Security Metrics:

***
Synopsis : It is possible to execute code on the remote IMAP server. Description : The remote host is running a version of MailEnable's IMAP service that is prone to a buffer overflow vulnerability triggered when processing a EXAMINE command with a long mailbox name. Once authenticated, an attacker can exploit this flaw to execute arbitrary code subject to the privileges of the affected application. There are also reportedly similar issues with other IMAP commands. See also : http://lists.grok.org.uk/pipermail/full- disclosure/2005-December/040388.html Solution: Install Hotfix ME-10010 for MailEnable Professional 1.71 and earlier or MailEnable Enterprise Edition 1.1 and earlier. Risk Factor: High / CVSS Base Score : 7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) CVE : CVE-2005-4456 BID : 15985 [More]

***

I am running v3.61 of MailEnable Pro which I purchased specifically for the IMAP functionality. Now I explained to SecurityMetrics that I am running v3.61 and that the version being reported v1.71, but that doesn't seem to matter to SecurityMetrics.

I would hate to have to change mail servers, but I must become PCI Compliant by Jan 20, 2009. Does anyone have any suggestions?

Here is a little more info:
I don't know if the tech support guy at Security Metrics knows what he is talking about, but he said something about MailEnable using IMAP v2 instead of v4, does that make any sense?

Also, It doesn't look like its only SecurityMetrics reporting this problem. Here are a few links to recent reports of the vulnerability (google: mailenable buffer overflow imap):
http://www.securityfocus.com/bid/21362
http://securitytracker.com/alerts/2008/Mar/1019565.html

I see a "hotfix" on mailenable's page, but it's for version 3.52, so I don't want try that.

I must say that it's most annoying being the "man-in-the-middle". So again, if anyone can offer some assistance, I would appreciate it. TIA!

MailEnable-Ian
Site Admin
Posts: 9145
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Post by MailEnable-Ian » Sun Dec 14, 2008 10:42 pm

Hi,

There are no IMAP exploits that we are aware of, or have been reported since version 3.52 hotfix. Any version after this release will include the IMAP fix that was implemented within the 3.52 hotfix for IMAP. I would suggest contacting "SecurityMetrics" and informaing them to update there databases as there are no outstanding exploits within the MailEnable IMAP service or any other MailEnable service. As for the IMAP version, MailEnable is IMAPv4 compliant.
Regards,

Ian Margarone
MailEnable Support

risedev
Posts: 8
Joined: Fri Mar 07, 2008 3:42 pm

SecurityMetrics Still Not Happy (But NOW I know the code!)

Post by risedev » Tue Dec 23, 2008 6:34 am

OK, so a tech at Security Metrics has indicated what the problem is:

telnet into the the mail server on port 143

First they check the banner for this string:
* OK IMAP4rev1 server ready
if this string is NOT found in the banner, the test terminates

Next, they send this command: a001 LOGOUT
and look for the string "MailEnable" in the result - if not found, the test terminates.

Next, they issue this command: a001 CAPABILITY
and look for the string:
OK CAPABILITY completed
If they find this string, then they assume the MailEnable is vulnerable to a buffer overflow vulnerability (whether it is or is not - I do not know).

Their code says that a "Pathed" serve should respond with "BAD COMMAND". Mine does NOT.


On my server, if I telnet into the server on port 143 and issue the a001 CAPABILITY command, I get this result:
* OK IMAP4rev1 server ready at 12/23/08 00:29:29
a001 CAPABILITY
* CAPABILITY IMAP4rev1 IMAP4 AUTH=LOGIN IDLE CHILDREN AUTH=CRAM-MD5
a001 OK CAPABILITY completed


So how can I get my MailEnable to respond with "BAD COMMAND" so I can get through this darn security scan?

Please help. Thanks!

mashroyer
Posts: 1
Joined: Tue Jun 02, 2009 1:13 am

Post by mashroyer » Tue Jun 02, 2009 2:31 pm

I am having an identical problem. Security Metrics wants me to install patch ME-10010, but I am already running Professional 3.61.

Did you get a resolution?

Mike

risedev
Posts: 8
Joined: Fri Mar 07, 2008 3:42 pm

Post by risedev » Tue Jun 02, 2009 2:59 pm

I had to fight & claw my way through multiple tech at Security Metric before I finally got someone to "grant" an exception on their scan. The problem is that their scanning software is out of date.

I had to get really upset before anyone would help me on this issue. I had to send them multiple screen shots of my server showing the latest MailEnable software running on the server.

netblue
Posts: 13
Joined: Wed Oct 05, 2005 4:40 pm

Post by netblue » Fri Jun 26, 2009 12:05 am

Third party security scans are not a part of the PCI requirement. Neither is scanning your mail server. I guess your merchant account vendor is playing it a little safe, but frankly, after having written credit card processing applications for 4 years it seems highly unlikely someone could use an IMAP exploit to capture credit card data.

[sigh] just another way to force small businesses to pay too much to keep running. good luck.

adain
Posts: 1
Joined: Wed Dec 09, 2009 12:37 pm

Re: PCI Compliance / IMAP Vulnerability

Post by adain » Wed Dec 09, 2009 12:38 pm

Thank you. I just tried it and it works fine for me.

SecurityMetrics
Posts: 1
Joined: Mon Nov 15, 2010 6:52 pm

Re: PCI Compliance / IMAP Vulnerability

Post by SecurityMetrics » Wed Nov 17, 2010 6:26 pm

SecurityMetrics appreciates your continued efforts to validate your compliance with the PCI DSS. SecurityMetrics is aware and understands that not all customers, computer systems, and scans are the same. If our scanning system recognizes a potential risk that may, in fact, not be a vulnerability, we will work one-on-one with our customer to resolve the situation. Our goal is to ensure the highest level of security while providing superior customer support in any way we can.

Post Reply