MAILSTORE-SA-2019-01: Improper Authentication in Generic LDAP Directory Service Synchronization

Affected Products
  MailStore Server 9.6 to 11.2.1
  MailStore Service Provider Edition 9.6 to 11.2.1

References
   CVE-2019-10229: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10229
   CWE-287: https://cwe.mitre.org/data/definitions/287.html

Summary:
   The LDAP connector in the affected products does not re-authenticate subsequent 
   login attempts attempts of existing users, as an LDAP connection of the failed 
   initial login attempt to a remote LDAP sever exists in the connection pool and
   has not been invalidated by the failed login attempt.

Effect:
   To exploit a vulnerable MailStore Server or MailStore Service Provider Edition
   Instance, it must be configured to authenticate users by using "Generic LDAP" 
   as directory service.

   If that configuration is used and the authentication attribute of a MailStore
   user is set to "Directory Service" (either manually or through directory service
   synchronization), an attacker may login as that user if the username is known 
   to him, by retrying to login after the first failed attempt using the same password. 

Attack type:
   Remote

Attack vector(s):
   * Directory Service configuration must be set to "Generic LDAP"
   * Users must be set to authenticate against "Directory Service"
   * Existing user must be known to attacker

Solution:
   Update to Version 11.2.2 or higher

Disclosure Timeline:
   2019-02-21 Regular bug report received from customer
   2019-02-22 Bug report defined as vulnerability report
   2019-02-26 Software update published
   2019-03-27 CVE number assigned
   2019-05-23 Public disclosure