MDaemon Security Bulletin – MD102412 - Critical

Fix to Potential Account Access Vulnerability

Published October 24, 2012

Summary

Today, the internal testing team at Alt-N discovered a vulnerability that could possibly allow remote access to MDaemon administrative settings and email. Within hours of the discovery, the Alt-N development team identified, built and tested a patch to correct the potential vulnerability.

This security update is rated Critical for affected versions of MDaemon Messaging Server. For specific information, see the Affected Software Section below.

Recommendation: For administrators of MDaemon installations, Alt-N Technologies recommends that customers apply the update immediately by downloading the appropriate version and language file listed below based upon the version currently installed. We have provided 3 different ftp site options. If you find one is too slow just try one of the others.

Known Issues: There are no known issues that customers may experience when installing this security update.

Frequently Asked Questions (FAQ) Related to This Update

Affected Software

The following versions of MDaemon have been tested and determined to be affected. Other versions are not affected. Please download the file version AND language based upon your current installation.

 

Frequently Asked Questions (FAQ) Related to This Update

Why were these patches released today?
Alt-N released this patch the same day the vulnerability was discovered.

What is the security impact?
Unscrupulous individuals could potentially gain access to your MDaemon administrator settings and email.

What operating systems are affected?
All Operating systems are affected by this issue.

What versions of MDaemon are affected?
MDaemon versions 11, 12, and 13 are affected.

Are any other Alt-N products affected?
No, MDaemon is the only product that is affected by this issue.

What do I need to do in order to resolve this issue?
Simply download the appropriate patch listed in the Affected Software Section of this update. There is no requirement to renew Upgrade Protection to obtain the fix.

* I have installed MDaemon BlackBerry Edition, do I need to install the BES for MDaemon feature?
If you are currently running MDaemon BlackBerry Edition version 12.0.x you will need to download the MDaemon BlackBerry Edition version 12.0.5 installer. If you are running MDaemon 12.5.x or 13.0.x with the BES components installed, you can install the appropriate version of MDaemon listed and you will NOT need to reinstall the BES components.

I'm using an older version of MDaemon than discussed here, what should I do?
MDaemon versions prior to MDaemon 11.0.0 are not affected by this issue. However, if you are running an expired license version prior to MDaemon 11, you can renew your license at the promotional discounted rate currently offered. To check the renewal price for the latest version, click here.

Additional questions can be answered by using emailing support@ccsoftware.ca.