WinRoute Pro Mail Server Security Risk

[Peter Miller <pcmiller61 () YAHOO COM>]

Message Type: Security Advisory

Risk: Medium

Software: WinRoute Pro v4.1 all current builds

Platform: Windows

Systems Affected:
All people using the WinRoute Pro v4.1 mail server in a Windows NT or
Windows 2000 environment.

Type of problem: Default options are insecure.

Description:
When using the User Accounts option in WrAdmin you can import users from an
NT domain. You can also add users manually. In both cases the "Use Windows
NT logon authentication" option is enabled by default. This means that by
default users need to use their Windows logon credentials to access their
POP3 mailboxes on the WinRoute mail server.

The problem is that the current version of the WinRoute mail server does not
support any form of secure logon authentication. This means that user's
Windows logon credentials are being sent to the mail server in plain text.
Anyone placing a packet sniffer on the network could totally compromise
domain and/or firewall security by capturing traffic destined to the mail
server and extracting user logon names and passwords. The problem is even
worse if the company is allowing roaming users to access their POP3
mailboxes from the Internet.

Resolution:
Tiny Software has reported that WinRoute Pro v5.0 will support secure
password authentication using APOP and NTLM. Unfortunately they do not
intend including SSL support. Expected release is in June 2001.

Work arounds:

1. Disable the "Use Windows NT logon authentication" option for all users
and enforce the use of different passwords for mailboxes and domain
authentication. Make sure that WinRoute administrators do not use mailboxes
with the same user name and password as the account they use for
administering WinRoute or your firewall administration could be compromised.

2. Use an SSH tunnel to encrypt all traffic between users and the mail
server. Set up firewall rules to prevent direct traffic to port 110 on the
mail server. It should be possible to implement this solution using free
software but setup time and maintenance will be high for anything but a
small group of people.

3. Replace the WinRoute mail server with a mail server that has security
features.

Dealing with Tiny Software:
I originally reported this problem to Tiny Software on 2000/11/08. I have
asked multiple times that they post a security advisory about the issue on
their web site and they have not done so.

On the whole I have found it extremely frustrating dealing with their
support team. It always takes multiple email messages to convince them of
anything. By now I feel that I should have built up some rapport with Tiny
Software but each new issue I submit goes through the same multiple email
exchange before being taken seriously. Multiple builds of the software are
released without any of the issues I report being publicly addressed or
corrected. It would seem that they promote the security through denial and
obscurity approach.

I personally think that WinRoute is a great product for its price but Tiny
Software customer relations are lacking.

Regards
Peter







_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com