Home / Bulletins / Security Bulletin 23B30932

Security Bulletin 23B30932

Integrity control on a .ZED container can be bypassed

High

Security Bulletin 23B30932
12/13/2023

SUMMARY

Integrity control on a .ZED container can be bypassed if configuration allows retro-compatibility with older container formats or if a specific metadata is manually altered in the container (1).

PRIM’X does not consider this problem as a security vulnerability but a side effect of retro-compatibility features. In addition, the metadata manual alteration abovementioned will lead to an error message and the inability to access any content of the container.

Note (1): this kind of modification leads to error messages and unreadable decrypted content.

Note (2) – Reminder: ZED! provides confidentiality of exchanged content. Sender authenticity is not a security function provided by ZED!, as signature keys are not requested.

CVSS SCORE: BASE 7.5

  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges required (PR): None (N)
  • User interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)

AFFECTED PRODUCTS AND VERSIONS

  • ZED! Enterprise for Windows version prior to 2023.5, including versions Q.2020.1, Q.2020.2 and Q.2021.1
  • ZED! Enterprise for Linux version prior to 2023.5
  • ZED! Enterprise for macOS version prior to 2023.5
  • ZED! features in ZONECENTRAL for Windows version prior to 2023.5, including versions Q.2021.1
  • ZED! features in ZEDMAIL for Windows version prior to 2023.5
  • ZEDPRO for Windows version prior to 2023.5
  • ZEDPRO for Linux version prior to 2023.5
  • ZEDPRO for macOS version prior to 2023.5
  • ZEDFREE for Windows version prior to 2023.5
  • ZEDFREE for Linux version prior to 2023.5
  • ZEDFREE for macOS version prior to 2023.5

SOLUTIONS AND RECOMMENDATIONS

Depending on your solution, upgrade to one of the following versions:

  • ZED! Enterprise for Windows version Q.2020.3 (version validated by ANSSI)
  • ZED! Enterprise for Windows version Q.2021.2 (version validated by ANSSI)
  • ZED! Enterprise for Windows minimal version 2023.5
  • ZED! Enterprise for Linux minimal version 2023.5
  • ZED! Enterprise for macOS minimal version 2023.5
  • ZED! features in ZONECENTRAL for Windows version Q.2021.2 (version validated by ANSSI)
  • ZED! features in ZONECENTRAL for Windows minimal version 2023.5
  • ZED! features in ZEDMAIL for Windows minimal version 2023.5
  • ZEDPRO for Windows minimal version 2023.5
  • ZEDPRO for Linux minimal version 2023.5
  • ZEDPRO for macOS minimal version 2023.5
  • ZEDFREE for Windows minimal version 2023.5
  • ZEDFREE for Linux minimal version 2023.5
  • ZEDFREE for macOS minimal version 2023.5

For more information, contact support[@]primx[.]eu.

ACKNOWLEDGEMENTS

ANSSI