SmarterTools SmarterMail Authentication Bypass Vulnerability in Password Reset API

An authentication bypass vulnerability has been identified in the SmarterTools SmarterMail password reset API, affecting versions prior to build 9511. The vulnerability exists in the 'force-reset-password' endpoint, which allows anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This oversight enables an unauthenticated attacker to reset the password of a target administrator by providing a username and a new password, leading to full administrative access on the SmarterMail instance.

Impact

Exploitation of this vulnerability allows for unauthorized password resets of system administrator accounts, resulting in full administrative access on the affected SmarterMail instance.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v1/auth/force-reset-password' endpoint. Include a JSON payload with the 'IsSysAdmin' field set to 'true', the 'Username' of the target administrator account, and the 'NewPassword' and 'ConfirmPassword' fields set to the desired new password. The request can be made without authentication, and if successful, the response will indicate that the password has been reset.

Remediation

Users are advised to upgrade to SmarterTools SmarterMail version 9511 or later, where this vulnerability has been patched.