Pablo A. Zurro

**Name of the Vulnerable Software and Affected Versions** CipherMail Community Gateway and Professional/Enterprise Gateway versions 1.0.1 through 4.7.1-0 CipherMail Webmail Messenger versions 1.1.1 through 3.1.1-0 **Description** An issue was discovered that allows attackers with administrative access to the web interface to escalate their privileges to the Unix root account. This is possible due to multiple options available to attackers. **Recommendations** For CipherMail Community Gateway and Professional/Enterprise Gateway versions 1.0.1 through 4.7.1-0, update to a version outside of this range to mitigate the risk. For CipherMail Webmail Messenger versions 1.1.1 through 3.1.1-0, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting administrative access to the web interface until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CipherMail Community Gateway Virtual Appliances versions 1.0.1 through 4.7.1-0 CipherMail Professional/Enterprise Gateway Virtual Appliances versions 1.0.1 through 4.7.1-0 CipherMail Webmail Messenger Virtual Appliances versions 1.1.1 through 3.1.1-0 **Description** An issue was discovered in CipherMail products where a Diffie-Hellman parameter of insufficient size could allow man-in-the-middle compromise of communications between CipherMail products and external SMTP clients. **Recommendations** For CipherMail Community Gateway Virtual Appliances versions 1.0.1 through 4.7.1-0, update to a version with a secure Diffie-Hellman parameter size. For CipherMail Professional/Enterprise Gateway Virtual Appliances versions 1.0.1 through 4.7.1-0, update to a version with a secure Diffie-Hellman parameter size. For CipherMail Webmail Messenger Virtual Appliances versions 1.1.1 through 3.1.1-0, update to a version with a secure Diffie-Hellman parameter size. As a temporary workaround, consider restricting access to external SMTP clients until a secure version is available.