Vendor agrees that XSS bug poses a grave risk, but warns it ‘can’t force users to upgrade’

Tens of thousands of IceWarp mail server systems remain vulnerable to a troublesome web security vulnerability – despite the fact that the issue was patched last year.

Lütfü Mert Ceylan, the 16-year-old Turkish security researcher and bug hunter who discovered the vulnerability (CVE-2020-8512) back in January 2020, told The Daily Swig that more than one in five of IceWarp systems remain vulnerable to the cross-site scripting (XSS) flaw.

“The vulnerability can be detected and exploited very easily” and “leads to the leak of user information”, Ceylan warned.

You got XSS

IceWarp is mail and collaboration server software aimed at small to mid-range businesses and as an alternative to services such as Microsoft Exchange.

The XSS vulnerability in question was resolved in 11.4.4.1 of IceWarp.

Earlier versions of the technology are vulnerable to a flaw that means an attacker can use an XSS loophole the /WebMail/ color parameter to send a malicious script to unsuspecting admins or users.


Catch up on the latest cross-site scripting (XSS) news and analysis


Searches using the Shodan IoT search engine and other tools allowed Ceylan to estimate that 21% of systems are running earlier versions of the software and are therefore vulnerable.

Sending out the word

In response to queries from The Daily Swig, the IceWarp development team agreed with Ceylan’s diagnosis of the problem, while reiterating that those affected are running unsupported versions of the technology.

Antonin Pruki, CTO of Czech Republic-based IceWarp, said the vendor was encouraging customers to upgrade but ultimately it cannot force them to do an upgrade since IceWarp is installed on their own hardware and is therefore “fully under their control”.

He said:

IceWarp 11.4.4 was released in 2016 and we actually got first report about this particular vulnerability back in 2017.

It was already addressed back then, and our customers were informed via [the] usual channels. Moreover, since that time there were two new generations of the login screen, which is now build on top of completely different stack than was the case in 2016.

So even at the time when CVE-2020-8512 was published, the problem had been addressed few years ago. Last but not least, the version 11.4.4 is not officially supported any more.

“There is an obvious problem however that many customers still run on version 11.4 and older,” Pruki warned.

“We also tried to reach all customers again a year ago and strongly recommended them to consider an upgrade,” Pruki concluded.


RECOMMENTED WordPress security: information leak flaw addressed in Ninja Forms


Reacting to these comments, Ceylan told The Daily Swig that there may be practical reasons as to why some users have delayed upgrading their systems, aside from general tardiness.

It is true that IceWarp creates new login structures, but when I reviewed the CVEs reported by other researchers in the past, I noticed that the vulnerabilities found in the first subversions of IceWarp 11 were not fixed with security patches in the next subversions.

In other words, no action has been taken about the vulnerabilities detected in subversions (11.0, 11.1, 11.2, 11.3, and 11.4) until the release and outdated date of IceWarp 11.

These security patches were mostly outdated to IceWarp 11 and added later when new versions (IceWarp 12.x etc) started to come out. That's why almost no company has implemented this patch, leaving tens of thousands of websites potentially vulnerable.

IceWarp disputed this interpretation and said its release cycle was more aligned with that of Google Chrome or Adobe Acrobat Reader than Microsoft Exchange.

Pruki concluded: “I fully agree with Lütfü's [Ceylan] findings, i.e the number of customers that run an outdated version of IceWarp that has this vulnerability (and also couple other vulnerabilities that were discovered and addressed later) is still too high.”


MORE SECURITY RESEARCH Machine learning technique detects phishing sites based on markup visualization