MDaemon Patch Bulletin - MD051518
Fix to PGP or S/MIME encryption vulnerabilities
Published May 15, 2018
Core problems in the S/MIME and OpenPGP encryption protocol specifications, as well as commonplace implementation flaws, have recently been found and reported by a team of researchers at https://efail.de. The vulnerability, identified by the researchers as EFAIL, can possibly (under specific circumstances) impact all email desktop and mobile clients that use these encryption protocols.
Immediately after learning of the issue, MDaemon Technologies' software developers checked MDaemon Webmail and MDaemon email server OpenPGP- based code (MDPGP). Upon investigation, MDaemon web-based email is not vulnerable. However, MDaemon's OpenPGP feature (MDPGP) is partially vulnerable to one implementation flaw. To address this, a MDPGP patch has been developed and released for MDaemon versions listed below. For MDaemon users, there is no need to "uninstall S/MIME and PGP" as claimed in some articles on this issue.
While the researchers go into some depth to expose issues deep within the S/MIME and PGP specification documents, S/MIME and OpenPGP may need specification changes to address the longer-term issues mentioned in the initial report. MDaemon Technologies will continue to monitor this issue.
This patch is for affected versions and editions of MDaemon Email Server and MDaemon Private Cloud. For specific information, see the Affected Software Section below.
Recommendation: For MDaemon installations, MDaemon Technologies recommends that administrators apply the patch by downloading and installing the appropriate file listed below.
Known Issues: There are no known issues that customers may experience when installing this patch.
The following versions of MDaemon have been tested and determined to be affected. Other versions are not affected. Please download the file version AND language based upon your current installation.
To update your MDaemon you can update to 18.0.1 or if you prefer you can install a patch for MDaemon 17.0.3 or 17.5.3. If you are not running 17.0.3 or 17.5.3 you will need to update to the appropriate version. Then download the patch, make sure to choose the correct language as well as the 32 or 64 bit based on your MDaemon installation. Stop your MDaemon server, and then extract the MDPGP.dll from the downloaded zip file into your MDaemon\app directory. Then restart MDaemon.
NOTE: The OpenPGP feature is NOT included in the Russian language version of the server software and is therefore, not impacted.
MDaemon 17.5.3 (32 bit) / MDaemon Private Cloud 5.5.1 (32 bit)
MDaemon 17.5.3 (64 bit) / MDaemon Private Cloud 5.5.1 (64 bit)
MDaemon 17.0.3 (32 bit) / MDaemon Private Cloud 5.0.1 (32 bit)
MDaemon 17.0.3 (64 bit) / MDaemon Private Cloud 5.0.1 (64 bit)
Frequently Asked Questions (FAQ) Related to This Update
What is the impact?
These attacks require that the attacker already have copies of your emails which means they need access to your email account, the flow of your network traffic, or access to the computer on which your emails are stored. Absent these circumstances, the attacks cannot even be attempted.
What versions of MDaemon are affected?
MDaemon Email Server - versions 17.0.x, 17.5.x, and 18.0.0
MDaemon Private Cloud - versions 5.0.x and 5.5.x
What do I need to do in order to resolve this issue?
Simply download and install the appropriate patch listed in the Affected Software Section of this update. There is no requirement to renew Upgrade Protection to obtain the fix.
Additional questions can be answered by using the web site Chat Feature in the top right header or by contacting MDaemon Technologies Support.