Security Bulletin 19110545

Files with a few bytes can be disclosed in a Zed! container

Low

Security Bulletin 19110545
(CVE-2019-7312) 01/31/2019

SUMMARY

Analyzing a Zed container can lead to the disclosure of plaintext content of very small files (a few bytes) stored into it.

Note: Encryption keys and user access keys are not compromised by this flaw. The flaw was discovered internally by Prim’X Labs.

CVSS SCORE: BASE 3.7

  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)

DETAILS

CVEID: 2019-7312 (created on 01/31/2019)
CERT-FR: CERTFR-2019-AVI-043

AFFECTED PRODUCTS AND VERSIONS

  • Zed! features in ZoneCentral for Windows version before 6.1.2240
  • Zed! features in ZedMail for Windows version before 6.1.2240
  • Zed! Entreprise for Windows version before 6.1.2240
  • Zed! Entreprise for Mac version before 2.0.199
  • Zed! Entreprise for Linux version before 2.0.199
  • Zed! Pro for Windows version before 1.0.195
  • Zed! Pro for Mac version before 1.0.199
  • Zed! Pro for Linux version before 1.0.199
  • Zed! Free for Windows version before 1.0.195
  • Zed! Free for Mac version before 1.0.199
  • Zed! Free for Linux version before 1.0.199

SOLUTIONS AND RECOMMENDATIONS

Depending on your solution, upgrade to one of the following versions:

  • Zed! features in ZoneCentral for Windows minimal version 6.1.2240
  • Zed! features in ZedMail for Windows minimal version 6.1.2240
  • Zed! Entreprise for Windows minimal version 6.1.2240

Exception: Zed! Entreprise for Windows version 6.1.2150 submitted to ANSSI qualification contains the fix

  • Zed! Entreprise for Mac minimal version 2.0.199
  • Zed! Entreprise for Linux minimal version 2.0.199
  • Zed! Pro for Windows minimal version 1.0.195
  • Zed! Pro for Mac minimal version 1.0.199
  • Zed! Pro for Linux minimal version 1.0.199
  • Zed! Free for Windows minimal version 1.0.195
  • Zed! Free for Mac minimal version 1.0.199
  • Zed! Free for Linux minimal version 1.0.199

For more information, contact support[@]primx[.]eu.