Dovecot vulnerability (DOV-5320), is DA affected?

[CrazyFrog]

Today a vulnerability in Dovecot (pop3/imap server) was announced. In insecure configurations, it could allow users to become Dovecot 'master users'.

Is DirectAdmin affected by this? I am not so keen on the internals of how DA handles authentication for Dovecot. Maybe DA is unaffected by this problem. The Dovecot committer thinks insecure configurations should be not common. I hope somebody with more experience in DA can look at this issue. If we are vulnerable, I guess we'll have to wait for a new Dovecot release and update it ASAP...

Affected product: Dovecot IMAP Server
Internal reference: DOV-5320
Vulnerability type: Improper Access Control (CWE-284)
Vulnerable version: 2.2 and newer
Vulnerable component: auth
Report confidence: Confirmed
Solution status: Fixed in main
Researcher credits: Julian Brook (julezman)
Vendor notification: 2022-05-06
CVE reference: CVE-2022-30550
CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

Vulnerability Details:
When two passdb configuration entries exist in Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving master user authentication.

Dovecot documentation does not advise against the use of passdb definitions which have the same driver and args settings. One such configuration would be where an administrator wishes to use the same pam configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.

Risk:
If same passwd file or PAM is used for both normal and master users, it is possible for attacker to become master user.

Workaround:
Always authenticate master users from different source than regular users, e.g. using a separate passwd file. Alternatively, you can use global ACLs to ensure that only legimate master users have priviledged access.

Fix:
This has been fixed in main branch. See https://github.com/dovecot/core/compare/7bad6a24^..a1022072.patch

Edit: fixed vulnerable version and component.

 

[Richard G]

Is DirectAdmin affected by this?

Not if you keep things up to date. Dovecot was already updated a longer time ago.

Vulnerable version: 2.2

Current Dovecot version is 2.3.19.1.
You can check via SSH with the dovecot --version command.

 

[CrazyFrog]

That is excellent, thank you! My machines are all at Dovecot 2.3.19.1 (made with CustomBuild).

So if we update recently, it seems that we are safe! ?

 

[Richard G]

You're welcome.
You are safe indeed, but it's good to know for others who did not update their systems regularly, that they really should do this now.

 

[Erulezz]

who did not update their systems regularly

2.3 was released in dec 2017 so people who haven’t upgraded by now are very lazy

 

[CrazyFrog]

Oops:

Hi all, unfortunately two mistakes crept into this notification. Apologies for that.

The correct component for this is "auth", and the affected version should have been "2.2 and newer".

So it does seem to affect current Dovecot versions... ? That brings me back to the original question, would our configuration be vulnerable?

 

[Ohm J]

@smtalk Can explain to you. or create ticket to let them know.

 

[Richard G]

That brings me back to the original question, would our configuration be vulnerable?

No it's not.
As you can see from your own post it has fixed in the main branch.
That was on may 9th and on May 10th dovecot 2.3.19 was released. So that is already a patched/fixed version.

The current version being 2.3.19.1 was released June 14th with some important other fixes. So the vulnerability was already fixed in the previous release.

https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch

and

https://dovecot.org/doc/NEWS

 

[Ohm J]

@Richard G
it commit from 6-July-2022

auth: Fix handling passdbs with identical driver/args but different m… · dovecot/core@7bad6a2

…echanisms/username_filter The passdb was wrongly deduplicated in this situation, causing wrong mechanisms or username_filter setting to be used. This would be a rather unlikely configuration thou...

github.com

 

[Richard G]

@jamgames2 Seems I'm misunderstanding something between fix in main branch and commit since I'm not native English.
I thought fix in main branch was fixed in next version. But that seems wrong. I don't quite understand the difference still.
Don't understand why they write in May that it's fixed in main, and then almost 2 months later it seems really to get fixed. How is that?

Just read: and the version impacted is from 2.2 to 2.3.19.1. so @CrazyFrog seens this would mean theoretical DA would be vulnerable, however:

If same passwd file or PAM is used for both normal and master users, it is possible for attacker to become master user.

Don't know if DA is using the same. Indeed smtalk can answer this.

Sorry for my mistake.

 

[ccto]

IMHO -

1. From its statement - "When two passdb configuration entries exist in Dovecot configuration, which have the same driver and args settings"

I browsed 3 servers configuration (different OS version), /etc/dovecot/dovecot.conf , more or less it looks like -

!include_try conf/custom_passdb.conf

passdb {
username_filter = !*@*
driver = shadow
}

passdb {
username_filter = *@*
args = username_format=%n /etc/virtual/%d/passwd
driver = passwd-file
}

The 2 passdb are, at least, of different driver (assume no custom_passdb is using)
It seems (I guess) not vulnerable.


2. About master user, I do not find "master = yes" configuration inside DirectAdmin dovecot.conf
ref.: https://doc.dovecot.org/configuration_manual/authentication/master_users/


3. From the post - "the version impacted is from 2.2 to 2.3.19.1" https://dovecot.org/pipermail/dovecot-news/2022-July/000478.html
It looks it is not patched in 2.3.19.1 .

 

[CrazyFrog]

That looks good! ?