In the fast-evolving world of cybersecurity, vulnerabilities in widely-used software can have far-reaching consequences. RoundCube, a popular open-source webmail client, is no exception. Recently, three critical vulnerabilities were discovered, and addressing them is crucial for securing your webmail environment. Here, we discuss the newly identified vulnerabilities, the importance of timely upgrades, and guide you through updating your Enhance Server to the latest RoundCube version.
Recent Vulnerabilities in RoundCube
The following vulnerabilities in RoundCube were recently discovered, and updating to the latest version is strongly advised to mitigate these risks:
These security flaws are concerning as hackers often target RoundCube, especially given its usage among organizations handling sensitive data. Earlier this year, CISA issued a warning regarding CVE-2023-43770, a critical cross-site scripting (XSS) vulnerability, urging federal organizations to patch it within two weeks.
The latest version, RoundCube 1.6.9, was released on September 1 and addresses these vulnerabilities. It’s highly recommended to always check for the latest available version on the official RoundCube release page.
Preparation for the Upgrade
Before upgrading, identify the user running the RoundCube container on your Enhance server. Typically, this is webmail_1. If you have modified this configuration, you can verify the user with:
cat /etc/passwd
Important: PHP Disabled Functions
In our recommended security setup, certain PHP functions are disabled. However, for the RoundCube upgrade, temporarily enable the system and escapeshellarg functions as they are required for the installation. Here’s how to update your disable_functions list:
Navigate to Enhance Main Control Panel:
- Settings → Service → Application → PHP Settings
- Modify
disable_functionsby including only these:
exec,passthru,shell_exec,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname,pcntl_exec,expect_popen
Upgrading RoundCube
Step 1: Upgrade on Main Control Panel Server
# Log in as the RoundCube user:
su - webmail_1
# Download the latest RoundCube version:
wget https://github.com/roundcube/roundcubemail/releases/download/1.6.9/roundcubemail-1.6.9-complete.tar.gz
# Extract the files:
tar -xvzf roundcubemail-1.6.9-complete.tar.gz
cd roundcubemail-1.6.9
# Run the installer:
bin/installto.sh -y ../public_html
# Clean up after installation:
rm -rf ~/roundcubemail-1.6.9*
Step 2: Upgrade on Other Servers in Your Cluster (Mail Servers Only)
For each mail server in your Enhance cluster, repeat the process using roundcubelocal as the user:
su - roundcubelocal
wget https://github.com/roundcube/roundcubemail/releases/download/1.6.9/roundcubemail-1.6.9-complete.tar.gz
tar -xvzf roundcubemail-1.6.9-complete.tar.gz
cd roundcubemail-1.6.9
bin/installto.sh -y ../public_html
rm -rf ~/roundcubemail-1.6.9*
Final Security Check
After the upgrade, verify the installation, ensure all RoundCube functions work correctly, and re-enable your recommended security settings for PHP functions. Keeping RoundCube updated not only mitigates vulnerabilities but also strengthens your webmail’s overall security posture.
Conclusion
With cyber threats targeting known software vulnerabilities, staying proactive with updates is vital. By following these steps, you can ensure your RoundCube instance on Enhance Server is up-to-date and protected against recent threats.
Stay secure, stay updated!
No comment