Wietse Venema

**Name of the Vulnerable Software and Affected Versions** Kerio Connect versions 7.1.4 build 2985 Kerio MailServer versions 6.x **Description** The issue is related to a "plaintext command injection" attack, where the STARTTLS implementation does not properly restrict I/O buffering. This allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place. **Recommendations** For Kerio Connect version 7.1.4 build 2985, consider updating to a newer version that addresses the issue with I/O buffering in the STARTTLS implementation. For Kerio MailServer version 6.x, consider updating to a newer version that addresses the issue with I/O buffering in the STARTTLS implementation. As a temporary workaround, consider restricting access to the SMTP service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Postfix versions 2.4.x through 2.4.15 Postfix versions 2.5.x through 2.5.11 Postfix versions 2.6.x through 2.6.8 Postfix versions 2.7.x through 2.7.2 **Description** The issue allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack. This occurs due to improper restriction of I/O buffering in the STARTTLS implementation. **Recommendations** For Postfix versions 2.4.x through 2.4.15, update to version 2.4.16 or later. For Postfix versions 2.5.x through 2.5.11, update to version 2.5.12 or later. For Postfix versions 2.6.x through 2.6.8, update to version 2.6.9 or later. For Postfix versions 2.7.x through 2.7.2, update to version 2.7.3 or later.

**Name of the Vulnerable Software and Affected Versions** netqmail versions 1.06 **Description** The issue is related to the STARTTLS implementation in qmail-smtpd, which does not properly restrict I/O buffering. This allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place. The attack is referred to as a "plaintext command injection" attack. **Recommendations** For netqmail version 1.06, consider disabling the STARTTLS implementation until a patch is available to properly restrict I/O buffering and prevent plaintext command injection attacks. Restrict access to the SMTP service to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: postfix version 2.5.5 Description: The issue allows local users to potentially conduct symlink attacks, overwriting arbitrary files due to the postfix.postinst script granting the postfix user write access to /var/spool/postfix/pid. Recommendations: For postfix version 2.5.5, consider restricting the write access to /var/spool/postfix/pid to prevent local users from conducting symlink attacks.

**Name of the Vulnerable Software and Affected Versions** Apache-SSL versions 1.3.28+1.52 and earlier **Description** The issue allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user, given that SSLVerifyClient is set to 1 or 3 and SSLFakeBasicAuth is enabled. **Recommendations** For Apache-SSL versions 1.3.28+1.52 and earlier, consider disabling SSLFakeBasicAuth until a patch is available, and review the configuration of SSLVerifyClient to ensure it is set appropriately to minimize the risk of exploitation.