[German]The vendor zebNet has discovered a critical vulnerability in various products that allow a man-in-the-middle attack (MITM) in the update process of the affected application. The night I was then contacted by the manufacturer by mail and asked to publish the whole thing here in the blog. The background: Informing customers about the vulnerability is proving difficult.
Advertising
Who is zebNet?
zebNet is a software vendor based in East Sussex in the UK that offers a variety of software products. These include data backup solutions for all common and important web browsers as well as email applications. Furthermore, there is the NewsTurbo product family (newsletter software) for email marketing, which has been published since 2014. Since 2017, the MailShelf product family for long-term email archiving was added. Details can be found on the company website.
A mail from zebNet …
I was astonished by the e-mail that arrived in my mailbox from zebNet on Sunday morning. The manufacturer wrote:
Dear Mr. Born,
We have discovered a security vulnerability in some of our products, which requires an urgent update of the affected application in the customer's system.
Since we only have the consent to send e-mails from a fraction of our customers and the delivery rate of e-mail providers is very low anyway due to their supposed anti-spam measures, we ask you to publish the following information so that as many users as possible can learn about the updates.
It's a novelty that a manufacturer contacts me as a blogger (so it works). So what exactly is this about?
Security vulnerability in zebNet products
In the email, the provider disclosed more details. On February 18, 2022, a security vulnerability was discovered in various zebNet products, with which a so-called man-in-the-middle attack (MITM) in the update process of the affected application can be enabled by missing or insufficient encryption measures. The manufacturer writes about this::
This would allow an attacker, at least in theory, to manipulate the update process of the affected application in such a way that a non-legitimate update file containing arbitrary code could be injected and executed on the target system, possibly allowing malware or other malicious code to be executed on the target system with administrator rights.
As a result of this discovery, zebNet has deployed bug-fixed versions for all affected products that are in support on Feb. 19, 2022 (i.e., within 24 hours). The vendor advises that these updates should be installed immediately by all customers using an affected product.
Advertising
The bugfixed versions contain, among other things, strengthened encryption as well as new signature verification procedures, which can be used to avoid such or similar security vulnerabilities. zebNet is not aware of any active exploitation of this vulnerability, so this is purely a precautionary measure. On its German website (I haven't found a similar article on the English web site), the provider lists the following products as affected:
- MailShelf Basic
- MailShelf Standard
- MailShelf Pro
- MailShelf Server
- MailShelf Client
- Backup for Chrome 5.0
- Backup for Chrome 6.0
- Backup for Firefox 5.0
- Backup for Firefox 6.0
- Backup for Internet Explorer 5.0
- Backup for Internet Explorer 6.0
- Backup for Opera Browser 5.0
- Backup for Opera Browser 6.0
- Backup for Pale Moon 6.0
- Backup for SeaMonkey 5.0
- Backup for SeaMonkey 6.0
- Backup for IncrediMail 5.0
- Backup for IncrediMail 6.0
- Backup for Live Mail 5.0
- Backup for Live Mail 6.0
- Backup for Outlook 5.0
- Backup for Outlook 6.0
- Backup for Postbox 5.0
- Backup for Postbox 6.0
- Backup for Thunderbird 5.0
- Backup for Thunderbird 6.0
- Backup for eM Client 5.0
- Backup for eM Client 6.0
- Backup for Mailbird 5.0
- Backup for Mailbird 6.0
- Backup for The Bat 5.0
- Backup for The Bat 6.0
- Backup for Vivaldi 5.0
- Backup for Vivaldi 6.0
- Backup for Waterfox 6.0
- All products of generation 2011
- products of generation 2012
- products of TNG generation (Version 4.0)
