CVE-2023-50444
📋 TL;DR
This vulnerability allows unauthenticated attackers to brute-force encrypted sensitive user information stored in .ZED containers created by affected PRIMX software. It affects users of PRIMX ZED!, ZONECENTRAL, and ZEDMAIL products on Windows, Mac, and Linux before specific versions. The default configuration is vulnerable, exposing data without requiring authentication.
💻 Affected Systems
- PRIMX ZED! for Windows
- ZONECENTRAL for Windows
- ZEDMAIL for Windows
- ZED! for Windows, Mac, Linux
📦 What is this software?
Zed\! by Primx
Zed\! by Primx
Zed\! by Primx
Zedmail by Primx
⚠️ Risk & Real-World Impact
Worst Case
Attackers could decrypt and exfiltrate sensitive user data (e.g., credentials, personal information) from .ZED containers, leading to data breaches, identity theft, or further attacks.
Likely Case
Attackers with access to .ZED containers could brute-force the encryption to extract sensitive information, compromising data confidentiality.
If Mitigated
With proper controls like network segmentation and access restrictions, risk is reduced to unauthorized access attempts, but data remains vulnerable if containers are exposed.
🎯 Exploit Status
Exploitation involves brute-forcing encryption, which is straightforward but may require computational resources; no authentication is needed to access the encrypted data in containers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version that fixes this: ZED! for Windows Q.2020.3 or Q.2021.2 (ANSSI submissions), ZONECENTRAL for Windows Q.2021.2 or 2023.5, ZEDMAIL for Windows 2023.5, ZED! for Windows, Mac, Linux 2023.5
Vendor Advisory: https://www.primx.eu/en/bulletins/security-bulletin-23B30874/
Restart Required: Yes
Instructions:
Step-by-step patching instructions: 1. Identify the affected product and version. 2. Download the patched version from the PRIMX vendor website. 3. Install the update following vendor instructions. 4. Restart the system to apply changes. 5. Verify the update by checking the version.
🔧 Temporary Workarounds
Restrict Access to .ZED Containers
allWhat this does: Limit file permissions and network access to .ZED containers to prevent unauthorized retrieval.
On Windows: icacls "C:\path\to\containers" /deny Everyone:(R)
On Linux: chmod 600 /path/to/containers/*.zed
Monitor for Brute-Force Attempts
allWhat this does: Implement logging and monitoring to detect unusual access patterns to .ZED container files.
On Linux: auditctl -w /path/to/containers -p rwa -k zed_access
On Windows: Use Event Viewer to monitor file access logs
🧯 If You Can't Patch
- Risk reduction step 1: Encrypt .ZED containers with strong, unique passwords and store them in secure, isolated locations.
- Risk reduction step 2: Implement network segmentation to limit access to systems handling .ZED containers and use firewalls to block unnecessary traffic.
🔍 How to Verify
Check if Vulnerable:
Commands or steps to check if vulnerable: Check the software version against affected ranges; inspect .ZED container files for default encryption by reviewing metadata or vendor documentation.Check Version:
Command to check current version: On Windows: Check program properties or run 'zed --version' if CLI available; on Mac/Linux: run 'zed --version' or check application info.Verify Fix Applied:
Commands or steps to verify the fix worked: Confirm the software version is updated to patched versions; test creating a new .ZED container to ensure enhanced encryption is applied.📡 Detection & Monitoring
Log Indicators:
- What to look for in logs: Multiple failed access attempts to .ZED container files, unusual file read patterns, or security alerts related to brute-force attacks.
Network Indicators:
- Network-based detection: Unusual outbound traffic from systems storing .ZED containers, indicating potential data exfiltration.
SIEM Query:
Example SIEM/detection query if applicable: 'source="file_access_logs" AND file_path="*.zed" AND event_type="read" AND user="unknown" | stats count by src_ip'