Articles in this section

See more

IceWarp Security Update for EPOS versions

Avatar
IceWarp Support
  • Updated
Follow

IceWarp has released a critical security update to address a vulnerability discovered during our routine security audits. The issue could potentially expose user credentials through the Sign-up feature, and we recommend applying the update as soon as possible.

HOW IT WORKS

The new build checks your system for indicators of potential credential exposure and automatically enables the password policy option. If any signs of exposure are detected, all user passwords are forcibly set to expire, and users will be required to create a new password the next time they sign in to WebClient.

Even if no exposure indicators are detected, we strongly recommend resetting passwords for all users via WebClient. This important precaution helps reduce the risk of unauthorized access using credentials that may have been previously compromised.

The build ensures
  • Sign-up feature settings are fixed
  • The password policy settings are enabled
  • Any malicious executables that may be present are removed

VERSIONS

It is strongly recommended to update your IceWarp instance as soon as possible to meet the following versions:

  • IceWarp Epos Update 3: upgrade to version 14.3.0.7 or newer ASAP.
  • IceWarp Epos Update 2: upgrade to version 14.2.0.15 or newer ASAP.
  • IceWarp Epos Update 1: upgrade to version 14.1.0.21 or newer ASAP.
  • IceWarp Epos, Deep Castle and older: use the script or upgrade to at least version 14.1.0.21 or newer ASAP.

If you have any reason to downgrade your IceWarp instance, follow these instructions:

If you are performing the update yourself, be sure to back up the entire server and update versions gradually, as described in these articles:

If you do not feel comfortable installing it yourself, contact our support team at vulnerability@icewarp.com immediately.

DOWNLOADS

SCRIPT

As a workaround for older versions (applicable to all Icewarp versions) running on Windows or Linux, use the script below or consider upgrading to a newer version as soon as possible.

If the server has already been upgraded to version 14.1.0.21, 14.2.0.15, 14.3.0.7, or later, there is no need to run the script.

The script ensures 

  • Sign-up feature is disabled
  • The settings.xml and filesystem.php are modified
  • The password policy settings are NOT modified
  • Any malicious executables that may be present are NOT removed

FREQUENTLY ASKED QUESTIONS (FAQ)

  • What happened?
    As part of our routine security audits, we received a report highlighting a high-severity vulnerability. The Sign-up feature in IceWarp could potentially expose user credentials to an attacker.
  • Who was affected?
    Both Cloud and On-Premises instances could be affected. The update has already been deployed in the Cloud, and the On-Premises version is available for download above.
  • Which IceWarp versions are affected?
    The issue affects all EPOS versions, including the latest release.
  • Does the vulnerability affect Windows or Linux?
    The vulnerability affects both operating systems.
  • What corrective measures have been taken?
    A security update was prepared and distributed to our partners and clients, along with installation instructions for the new version (On-Premises). Regarding the Cloud, this update has already been implemented across all instances.
  • How will the patch be distributed?
    The update will be distributed via a KB link attached to an email; recipients will not need to locate any additional files or information. All required installation instructions and supporting details will be provided in the KB.
  • How do you plan to prevent such incidents in the future?
    Such incidents cannot be completely avoided; however, we will continue to conduct regular security audits and implement more frequent updates and patches to proactively address potential vulnerabilities.

Related articles

Comments

0 comments

Article is closed for comments.