[ SOURCE: http://www.secureroot.com/security/advisories/9786037711.html ] Message Type: Security Advisory Risk: Medium Software: WinRoute Pro v4.1 all current builds Platform: Windows Systems Affected: All people using the WinRoute Pro v4.1 mail server in a Windows NT or Windows 2000 environment. Type of problem: Default options are insecure. Description: When using the User Accounts option in WrAdmin you can import users from an NT domain. You can also add users manually. In both cases the "Use Windows NT logon authentication" option is enabled by default. This means that by default users need to use their Windows logon credentials to access their POP3 mailboxes on the WinRoute mail server. The problem is that the current version of the WinRoute mail server does not support any form of secure logon authentication. This means that user's Windows logon credentials are being sent to the mail server in plain text. Anyone placing a packet sniffer on the network could totally compromise domain and/or firewall security by capturing traffic destined to the mail server and extracting user logon names and passwords. The problem is even worse if the company is allowing roaming users to access their POP3 mailboxes from the Internet. Resolution: Tiny Software has reported that WinRoute Pro v5.0 will support secure password authentication using APOP and NTLM. Unfortunately they do not intend including SSL support. Expected release is in June 2001. Work arounds: 1. Disable the "Use Windows NT logon authentication" option for all users and enforce the use of different passwords for mailboxes and domain authentication. Make sure that WinRoute administrators do not use mailboxes with the same user name and password as the account they use for administering WinRoute or your firewall administration could be compromised. 2. Use an SSH tunnel to encrypt all traffic between users and the mail server. Set up firewall rules to prevent direct traffic to port 110 on the mail server. It should be possible to implement this solution using free software but setup time and maintenance will be high for anything but a small group of people. 3. Replace the WinRoute mail server with a mail server that has security features. Dealing with Tiny Software: I originally reported this problem to Tiny Software on 2000/11/08. I have asked multiple times that they post a security advisory about the issue on their web site and they have not done so. On the whole I have found it extremely frustrating dealing with their support team. It always takes multiple email messages to convince them of anything. By now I feel that I should have built up some rapport with Tiny Software but each new issue I submit goes through the same multiple email exchange before being taken seriously. Multiple builds of the software are released without any of the issues I report being publicly addressed or corrected. It would seem that they promote the security through denial and obscurity approach. I personally think that WinRoute is a great product for its price but Tiny Software customer relations are lacking. Regards Peter _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com