Security Advisories

Title:Incomplete logoutDate:2018-08-20Severity:medium

Summary

After logging out of the Admin Console, anyone retaining the deleted login cookie could still use the system.

Affected Systems

Mitigation

None. This issue was resolved shortly after receipt. Login cookies no longer work after a logout event.

Acknowledgements

Thanks to Jayesh Patel for this report on 8/4/18 and to Sumit Jain who reported it a short time later.

Title:Missing SPF records on subdomainsDate:2018-08-28Severity:low

Summary

Certain ironcorelabs.com subdomains were lacking SPF records.

Acknowledgements

Thanks to Shivam Lohani for the report.

Title:CORS misconfigurationDate:2019-02-04Severity:low

Summary

A CORS misconfiguration was detected on IronCore's primary website.

Affected Systems

Mitigation

The endpoint in question was part of the web hosting platform and has since been disabled.

Acknowledgements

Thanks to Shubham Garg for this report.

Title:Regression reducing the randomness for some operationsDate:2019-10-30Severity:high

Summary

The randomness of some operations was reduced after a regression was introduced in recrypt-rs 0.8.0. Affected 256-bit operations were:

  • CryptoOps::gen_plaintext
  • CryptoOps::transform
  • KeyGenOps::generate_transform_key

480-bit operations were not affected.

Affected Systems

All impacted versions have been removed from distribution and patch version bumps with the fix have been released.

Related Issues

A CVE notice will be forthcoming.

Mitigation

We recommend that all users upgrade as soon as possible. Furthermore, we recommend that any keys generated while using a vulnerable library be regenerated if they're used for production purposes. Please note that all encryption operations generate per-object keys as part of encryption, so we recommend that all documents encrypted using these versions of the SDKs be re-encrypted using new document IDs. Groups created using these versions of the SDKs should be re-created, and any data encrypted to the old groups should be encrypted to the new ones.

Acknowledgements

This issue was found by our team during internal testing.

Transparency is inseparable from trust and security.
Security is our top priority, for you and our customers.
Privacy is becoming a top concern for enterprises.
Reliability is the backbone of our technology.
Bug Bounty Program.
Privacy Shield Policy.