Ipswitch has patched several security flaws in its widely used email and communications server software, the worst of which could allow an anonymous attacker to take over a system from the Internet.
The flaws affect the latest version of the Ipswitch Collaboration Suite (ICS), which includes e-mail, calendaring, contact list sharing and other communications components, but earlier versions are also thought to be vulnerable. Patches are available from Ipswitch here. The software runs on Windows and has a user base of more than 50 million, according to Ipswitch.
The vulnerabilities are the most serious in enterprise networking tools since earlier this month, when vulnerabilities were disclosed in three popular products: the RSA Authentication Agent for Web for Internet Information Services; ethereal, a network protocol analyser; and smail, a Mail Transfer Agent. All three vulnerabilities could allow remote attackers to execute malicious code, according to security researchers.
The Ipswitch bugs, disclosed this week by security firm iDefense in coordination with Ipswitch, could allow an attacker to execute malicious code, crash the server, or read files on the server. Most are easy to exploit, according to iDefense.
The most serious are two bugs involving the email server's LOGIN command, which could be exploited by sending a long username argument or one starting with specific special characters, iDefense said. These could cause a buffer overflow and lead to the execution of malicious code with System privileges, the firm said. "Valid credentials are not required for exploitation, which heightens the impact of this vulnerability," said iDefense in an advisory.
A bug in the STATUS command of the email server could also allow code execution, but requires valid credentials, making it harder to exploit, iDefense said.
Finally, a directory traversal vulnerability in the Imail Web Calendaring server could allow attackers to read files on the server with System privileges. "Exploitation does not require authentication and does not require exploit code, as a user can simply type the malicious query in a web browser," said iDefense in an advisory.