Hi@all, VMWare Zimbra Mailer Release 8.6.0.GA, latest patch and prior versions with DKIM implementation are vulnerable to longterm Mail Replay attacks. If the expiration header is not set, the signature never expires. This means, that the e-mail, perhaps catched while performing a man in the middle attack, can be replayed years after catching it. This can be combined with the spoofed reply-to header field, because the header field is not hashed by Zimbras DKIM implementation. Supporter of vulnerability analysis: Steffen Mauer @this point I want to thank Steffen for his good work =) Background: To configure DKIM with VMware Zimbra the official documentation advises the administrator to use the zimbra management tools. With the management tools there is no possibility to add custom Header’s for hashing it with DKIM or for setting the expiration DKIM Header. (http://ift.tt/1VB2KPe)
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment