DMARC News: Recent Updates on Email Authentication Standards and Security

Email security is the talking point in corridors of cyber expertise, where experts are constantly devising ways to be one step ahead of the cyber adversaries. Following are this week’s developments in cyberspace concerning email security and email authentication standards.

A Gift From Apple: Security Standard For Email Identification may become Urgent for Businesses

Apple’s recently announced planned support for BIMI in iOS 16 and macOS Ventura created increased urgency for enterprises to secure VMC or Verified Mark Certificates that are a visual representation of security. The BIMI certification will validate the organizations’ invested efforts in strong email security standards, available only to those who have passed the stringent DMARC checks.

Data & Marketing Association 2021 Consumer Email Tracker states that over 68% of consumers see brand recognition as crucial when deciding if they want to open an email. BIMI combines robust email authentication standards using DMARC with VMCs (Verified Mark Certificates), which enable the sender to display their registered, trusted trademark in the customer’s inbox.

How it works

BIMI allows organizations to verify the authenticity of emails they send. After verification, the system displays the brand logo in a specific position inside a supporting email client. BIMI is a text file maintained on the sender’s server, which the end traffic handling ISPs can then check to verify authenticity. Integrating with the email client, BIMI and DMARC make it challenging for hackers to figure out a way to display their spoofed logo. Thus, the customers can verify if an email is genuine and delete the ones that are not.

1. Cisco Secure Email Bug Can Allow Hackers To Bypass Authentication

Cisco notified its customers this week to patch a vulnerability using which the hackers could bypass authentication and login to Cisco email gateway appliances’ web management interface with non-default configurations.

The tracked security flaw (CVE-2022-20798) was detected in hardware and virtual Cisco Secure Email and Web Manager and Cisco Email Security Appliance.

2. Doesn’t Affect Default Configurations

A noticeable development was that the bug only affected appliances configured for using LDAP and external authentication as the authentication protocol. Luckily by default, Cisco claimed that the external authentication feature was disabled, meaning the impacted devices were those with non-default configurations. To check if you have external authentication enabled on your appliance, follow the below steps:

• Login to your web-based management interface
• Click on System Administration > Users
• Check if a green check box is next to “Enable External Authentication.”

Cisco also said that the vulnerability mentioned above did not affect the Cisco Secure Web Appliance, previously called Cisco Web Security Appliance (WSA). The CVE-2022-20798 vulnerability appeared due to improper authentication checks on devices that used LDAP (Lightweight Directory Access Protocol) for external authentication.

3. Zimbra Email Vulnerability

A new severe vulnerability was detected in the Zimbra email suite using which an unauthorized hacker can steal cleartext passwords of users without any user interaction.

After getting the consequent access to the victim’s mailbox, cyber adversaries can potentially access the targeted enterprises and steal highly sensitive information. The vulnerability, characterized as CVE-2022-27924 (CVSS score: 7.5), is a case of “Unauthenticated request Memcached poisoning.” Thus, it can lead to a scenario where the attacker can siphon sensitive information by injecting malicious commands.

Zimbra uses the Memcached server to look up Zimbra users, forwarding their HTTP requests to specific backend services. Attackers poison the IMAP route cache entries present in the Memcached server. Memcached, an in-memory key-value storage system, can be used as a session store or high-performance cache for API calls and external databases.

Since Memcached parses all incoming requests line-by-line, hackers inject the vulnerability as a specially crafted lookup request containing CRLF characters that make the server execute unintended commands. Thus, the attacker can corrupt the cache and overwrite an entry to forward the IMAP traffic to a compromised server, including the victim’s credentials in cleartext.

4. Google Does Not Allow Usernames and Passwords on third-Party Email Applications

Many users noticed a few days back that apps like Thunderbird, Outlook, and other email clients started asking them for Google passwords. When they entered their Google password, the apps rejected them, saying it was incorrect. Google began re-thinking how it connects to other email clients and locking down its email service, retiring the less secure apps. It is a feature that, when enabled, allows users to use their Google ID and password to sign in to the email client, thus weakening their account’s overall security.

Google, which keeps its users’ interest foremost, said that they can still use Google on third-party apps provided they meet either one of the two conditions:

• Users must use an app-specific password. Your Google account uses app-specific passwords in conjunction with two-factor authentication.
• The app must support “OAuth2,” an authentication method that allows you to authenticate after signing in to Google and grant the application access to your Google account.

With email security becoming the talking point in the cybersecurity industry, most global inboxes have started accepting the DMARC standard — including ones hosted by Google, Yahoo, Microsoft, AOL, and other major email service providers. Thus DMARC solutions and email authentication are becoming necessary to prevent phishing attacks. You can get a free trial and test DMARC for your domain at dmarcreport.com.