Security Bulletin 23B30931

A compromised encrypted .ZED container can trigger a network access

High

Security Bulletin 23B30931
CVE-2023-50440 (ZED!)
12/13/2023

SUMMARY

Opening a compromised encrypted .ZED container can trigger a network access, with potential authentication request. It can be used by an attacker to obtain user privileges and potentially user credentials.

CVSS SCORE: BASE 7.5

  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges required (PR): None (N)
  • User interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)

DETAILS

AFFECTED PRODUCTS AND VERSIONS

  • ZED! Enterprise for Windows version prior to 2023.5, including versions Q.2020.1, Q.2020.2 and Q.2021.1
  • ZED! Enterprise for Linux version prior to 2023.5
  • ZED! Enterprise for macOS version prior to 2023.5
  • ZED! features in ZONECENTRAL for Windows version prior to 2023.5, including versions Q.2021.1
  • ZED! features in ZEDMAIL for Windows version prior to 2023.5
  • ZEDPRO for Windows version prior to 2023.5
  • ZEDPRO for Linux version prior to 2023.5
  • ZEDPRO for macOS version prior to 2023.5
  • ZEDFREE for Windows version prior to 2023.5
  • ZEDFREE for Linux version prior to 2023.5
  • ZEDFREE for macOS version prior to 2023.5

SOLUTIONS AND RECOMMENDATIONS

Depending on your solution, upgrade to one of the following versions:

  • ZED! Enterprise for Windows version Q.2020.3 (version validated by ANSSI)
  • ZED! Enterprise for Windows version Q.2021.2 (version validated by ANSSI)
  • ZED! Enterprise for Windows minimal version 2023.5
  • ZED! Enterprise for Linux minimal version 2023.5
  • ZED! Enterprise for macOS minimal version 2023.5
  • ZED! features in ZONECENTRAL for Windows version Q.2021.2 (version validated by ANSSI)
  • ZED! features in ZONECENTRAL for Windows minimal version 2023.5
  • ZED! features in ZEDMAIL for Windows minimal version 2023.5
  • ZEDPRO for Windows minimal version 2023.5
  • ZEDPRO for Linux minimal version 2023.5
  • ZEDPRO for macOS minimal version 2023.5
  • ZEDFREE for Windows minimal version 2023.5
  • ZEDFREE for Linux minimal version 2023.5
  • ZEDFREE for macOS minimal version 2023.5

For more information, contact support[@]primx[.]eu.

ACKNOWLEDGEMENTS

ANSSI