Synology-SA-17:82 Mailsploit

Publish Time: 2017-12-29 13:33:29 UTC+8

Last Updated: 2018-01-02 11:53:50 UTC+8

Severity
Important
Status
Resolved

Abstract

Mailsploit allows remote attackers to conduct spoofing attacks via a susceptible version of MailPlus, Android MailPlus and iOS MailPlus.

Affected Products

Product Severity Fixed Release Availability
MailPlus Important Upgrade to 1.4.1-0742 or above.
Android MailPlus Important Upgrade to 1.6.1 or above.
iOS MailPlus Important Upgrade to 1.6.1 or above.

Mitigation

None

Detail

  • MailSploit
    • Severity: Important
    • CVSS3 Base Score: 7.4
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
    • Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.

Reference

Revision History

Revision Date Description
1 2017-12-29 Initial public release.
2 2018-1-2 Updated availability for iOS MailPlus in Affected Products.