-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-004 Product: SEPPmail Secure Email Gateway Manufacturer: SEPPmail – Deutschland GmbH Affected Version(s): <14.0.3 Tested Version(s): 14.0.2 Vulnerability Type: Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) Risk Level: Low Solution Status: Fix available Manufacturer Notification: 2025-02-13 Solution Date: 2025-02-25 Public Disclosure: 2025-03-31 CVE Reference: CVE-2025-30071 Author of Advisory: Jürgen Zöller, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: SEPPmail Secure Email Gateway is an e-mail gateway encompassing, among other things, a web GUI. The manufacturer describes the product as follows (see [1]): "The SEPPmail Secure Email Gateway, which has won several awards, impresses with its comprehensive functionality, not to mention its simplicity and flexibility that are second to none. Banks, insurance companies, lawyers, authorities, stakeholders in the healthcare sector, industrial companies and energy providers have been using SEPPmail to secure their electronic business transactions for years. By doing so, they are benefiting from stability, performance, availability, functionality and convenience." Due to insufficient input neutralization, SEPPmail is vulnerable to template injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: If the e-mail server of an external recipient does not support encrypted communication, SEPPmail allows them to register to its web interface. There, they are able to write and send e-mails to the users of the protected domain. When sending an e-mail from the web GUI, they can opt to receive a copy of the e-mail to their own address. Due to improper input neutralization, it is possible to add templating variables into the e-mail subject field. These are interpreted during creation of the e-mail copy. While the variable "@expiryCache@" is not mentioned in the official documentation of the manufacturer, this seems to be part of the GINA localization feature.[2] Indicators for that were the fact that its @-delimited format matches the variables mentioned in [2]. Additionally, neither predefined macros[3] nor predefined replacements[4] could be resolved this way. Due to the lack of official documentation, the possible attack surface could not be fully determined. While the impact of this vulnerability is currently considered as low, this might increase if future research shows that additional macros and variables can be accessed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The weakness can be exploited via the following steps: 1. Log in to the web GUI as an external user. 2. Write a new e-mail. 3. Set subject to "Template Injection: @expiryCache@" (case sensitive). 4. Set recipient to any existing user of the protected domain, e.g. internal@example.com. 5. Set checkmark to receive a copy of the e-mail. 6. Send the e-mail. Soon after, one should receive an e-mail with a link to open the e-mail in the web GUI. This e-mail also contains the subject line of the e-mail. However, in the HTML version of this e-mail, the placeholder will have been resolved, e.g. 'Betreff: Kopie ihrer Nachricht "Template Injection: 20.01.2025" ...'. This proves that the templating placeholder in the user-controlled subject line was processed on the server side. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to version 14.0.4 or higher. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-12-09: Vulnerability discovered 2025-02-13: Vulnerability reported to manufacturer 2025-02-25: Patch released by manufacturer 2025-03-31: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for SEPPmail https://www.seppmail.com/products/secure-email-gateway/ [2] Manufacturer documentation for GINA localization feature https://docs.seppmail.com/en/07_mi_17_gd_02_cgs_02_edit-translations-for-language-x.html [3] Predefined macros https://docs.seppmail.com/en/08_cr_09_pm__predifined-macros.html [4] Predefined replacements https://docs.seppmail.com/en/08_cr_08_pf__predefined-functions.html [5] SySS Security Advisory SYSS-2025-004 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-003.txt [6] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jürgen Zöller of SySS GmbH. E-Mail: juergen.zoeller@syss.de Public Key: https://www.syss.de/kontakt/pgp-keys Key ID: 0xA55C06902A34886E Key Fingerprint: F279 067D A805 F18E BB71 E876 A55C 0690 2A34 886E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8nkGfagF8Y67ceh2pVwGkCo0iG4FAmfmnxoACgkQpVwGkCo0 iG7Vug/+KEDqFWEH+4IkHCkqc6TSMaWwfGJphjlJxd8Z+UHMMm4sCFzHd6HpXoaK t3Jf0FYA/rBBYi6ZYn+zyakq5twLz7s+Lqa0JJcIDArGRg4ceHMC7EEPv7ybxHnc XJ+VutyTmZj8siq9Fm/WRoly7epHWHQQTxHYpqHCUy66/iQ+HqEe7uvYhQCM76O9 VduAWN4dWQBunFfx7/E6JC31PaK0iiPkblZm2wnMqd0Alf8y3O3KvCgsCbEmPWpW x2RRGZCgeGTsJQkZGFqJ1xRUviTUiv1T3eTwEqmkDbqFlyDjGY8rkIzGlPRJBKiP b5nQ97KmHWbcbw99MHnv3lHUQSlJI8dA7qHFOfXEC3s7f+k5D7/TGq3YpWKIEA0n qlrGWP6xtC3e8/26h8WmvO7H3S8fTd1F2yBPNPF40YJZosfRvoON5ix8zolbbzEE RW24hophXjXmKLyVvbgHYskVFT7TbB4j/bMTrBJpE5I7vZjxyqjgmd4mkyh/dCFI HPTYujBrvunGThZJT0YxUhIN6+BX7UGo+N2weCaKURFP7Z33tuLpYj4IYM77JRrb X2OOwamep/XVlO8EziGl3SVpYq1tAI8UG0rdRmfu1js1ts2w2KCi8TQzarZy0iUR sGPun+0opcdO5lCR+BBpt1usmXltnjfG1g3Y/FHDcsd3aWIF0tA= =RC/B -----END PGP SIGNATURE-----