Security Bulletin 23B30874

User sensitive information can be disclosed in a .ZED container

High

Security Bulletin 23B30874
CVE-2023-50444
12/13/2023

SUMMARY

Attacking .ZED container metadata via brute force can lead to the disclosure of user sensitive information included by default in .ZED containers if the user password complexity does not follow common practices.

CVSS SCORE: BASE 8.7

  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges required (PR): none (N)
  • User interaction (UI): none (N)
  • Scope (S): changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): none (N)

DETAILS

AFFECTED PRODUCTS AND VERSIONS

  • ZED! Enterprise for Windows version prior to 2023.5, including versions Q.2020.1, Q.2020.2 and Q.2021.1
  • ZED! features in ZONECENTRAL for Windows version prior to 2023.5, including versions Q.2021.1
  • ZED! features in ZEDMAIL for Windows version prior to 2023.5

SOLUTIONS AND RECOMMENDATIONS

Depending on your solution, upgrade to one of the following versions:

  • ZED! Enterprise for Windows version Q.2020.3 (version validated by ANSSI)
  • ZED! Enterprise for Windows version Q.2021.2 (version validated by ANSSI)
  • ZED! Enterprise for Windows minimal version 2023.5
  • ZED! features in ZONECENTRAL for Windows version Q.2021.2 (version validated by ANSSI)
  • ZED! features in ZONECENTRAL for Windows minimal version 2023.5
  • ZED! features in ZEDMAIL for Windows minimal version 2023.5

For more information, contact support[@]primx[.]eu.

ACKNOWLEDGEMENTS

ANSSI