IceWarp Security Update for EPOS versions

IceWarp has released a new critical security patch to address an issue that could expose user credentials in the IceWarp environment via the Sign-up feature, identified during our regular security audits. The security patch is now available for immediate installation. 

The patch verifies whether signs of a potential data exposure are present on your system and, if detected, it automatically invalidates all user passwords and requires them to create new passwords at their next login to WebClient.

Even if the patch does not detect any signs of exposure, we strongly recommend performing a preventive password reset for all users through WebClient. This critical precaution helps minimize the risk of unauthorized access using previously compromised credentials.

Administrators must ensure that the password expiration feature is enabled. This can be configured in the Administration Console by navigating to Domains & Accounts → Policies → Password Policy → Password Expiration and selecting the Active checkbox, or by enabling the c_accounts_policies_pass_expiration API property.

It is strongly recommended to update your IceWarp instance as soon as possible to meet the following versions:

• IceWarp Epos Update 3: Upgrade to version 14.3.0.7 or newer.
• IceWarp Epos Update 2: Upgrade to version 14.2.0.15 or newer.
• IceWarp Epos Update 1: Upgrade to version 14.1.0.21 or newer.
• IceWarp Epos, Deep Castle and older versions: Upgrade to version 14.1.0.21 or newer.

If you have any reason to downgrade your IceWarp instance, follow these instructions:

• How to downgrade the current version to the previous main version

If you are performing the update yourself, be sure to back up the entire server and update versions gradually, as described in our articles:

• Upgrade to EPOS from previous versions on Linux
• Upgrade to EPOS from previous versions on Windows

If you have any hesitation about installing it yourself, our Support team is here to guide you through the process or do the installation for you. Don’t hesitate to get in touch at vulnerability@icewarp.com. 

DOWNLOAD BUILDS

• EPOS Update 3 (14.3.0.7) on RHEL9, RHEL8, and Windows + remote admin console
• EPOS Update 2 (14.2.0.15) on RHEL9, RHEL8, and Windows + remote admin console
• EPOS Update 1 (14.1.0.21) on RHEL9, RHEL8, RHEL7 and Windows + remote admin console
• EPOS, Deep Castle and older - upgrade to one of the patched versions above as soon as possible. As an immediate measure, please run the script to make sure signup is not enabled on your Windows or Linux instance.

FREQUENTLY ASKED QUESTIONS (FAQ)

• What happened?
  As part of our routine penetration testing, we received a report highlighting a high-severity vulnerability. The Sign-up feature in IceWarp could potentially expose user credentials to an attacker.
• Who was affected?
  Both Cloud and On-Premises instances could be affected. The patch has already been deployed in the Cloud, and the On-Premises version is available for download above.
• Which IceWarp versions are affected?
  The issue affects all EPOS versions, including the latest release.
• Does the vulnerability affect Windows or Linux?
  The vulnerability affects both operating systems.
• What corrective measures have been taken?
  A security patch was prepared and distributed to our partners and clients, along with installation instructions for the new version (On-Premises). Regarding the Cloud, this update has already been implemented across all instances.
• How will the patch be distributed?
  The patch will be distributed via a KB link attached to an email; recipients will not need to locate any additional files or information. All required installation instructions and supporting details will be provided in the KB.
• How do you plan to prevent such incidents in the future?
  Such incidents cannot be completely avoided; however, we will continue to conduct regular security audits and implement more frequent updates and patches to proactively address potential vulnerabilities.