Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 677350 (CVE-2019-3814)

Summary: <net-mail/dovecot-2.3.4.1: Suitable client certificate can be used to login as other user (CVE-2019-3814)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: eras, hydrapolic, net-mail+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://dovecot.org/list/dovecot/2019-February/114575.html
Whiteboard: B2 [glsa+ glsa+ blocked]
Package list:
Runtime testing required: ---
Bug Depends on: 681922    
Bug Blocks:    

Description Jeroen Roovers (RETIRED) gentoo-dev 2019-02-06 13:39:48 UTC 
Product: Dovecot
Vendor: Open-Xchange Oy
Internal reference: DOV-2890 (Bug ID)
Vulnerability type: Improper Authentication - Generic (CWE287)
Vulnerable versions: 1.1.0 - 2.2.36 and 2.3.0 - 2.3.4
Vulnerable component: authentication
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed versions: 2.2.36.1, 2.3.4.1
Vendor notification: 2019-01-16
Solution date: 2019-01-20
Public disclosure: 2019-02-05
Researcher Credits: https://hackerone.com/halfdog
CVE reference: CVE-2019-3814
CVSS: 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)

Vulnerability Details:
Normally Dovecot is configured to authenticate
imap/pop3/managesieve/submission clients using regular username/password
combination. Some installations have also required clients to present a
trusted SSL certificate on top of that. It's also possible to configure
Dovecot to take the username from the certificate instead of from the
user provided authentication. It's also possible to avoid having a
password at all, only trusting the SSL certificate.

If the provided trusted SSL certificate is missing the username field,
Dovecot should be failing the authentication. However, the earlier
versions will take the username from the user provided authentication
fields (e.g. LOGIN command). If there is no additional password
verification, this allows the attacker to login as anyone else in the
system.

...
Comment 1 Larry the Git Cow gentoo-dev 2019-02-07 05:59:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ed10b03e89977986561e20a4bd53b5273b5272a

commit 1ed10b03e89977986561e20a4bd53b5273b5272a
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2019-02-07 05:57:25 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2019-02-07 05:58:27 +0000

    net-mail/dovecot: security bump to 2.3.4.1
    
    Bug: https://bugs.gentoo.org/677350
    
    Package-Manager: Portage-2.3.59, Repoman-2.3.12
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest               |   1 +
 net-mail/dovecot/dovecot-2.3.4.1.ebuild | 293 ++++++++++++++++++++++++++++++++
 2 files changed, 294 insertions(+)
Comment 2 Tomáš Mózes 2019-02-20 08:27:18 UTC 
Time to stabilize?
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-04-11 21:27:13 UTC 
@maintainer, which version do you want to stabilize here?  2.3.5.1 is stable on most already... just need to pickup alpha and s390.
Comment 4 Eray Aslan gentoo-dev 2019-04-12 05:21:36 UTC 
We should go with stabilizing net-mail/dovecot-2.3.5.1 at bug #681922
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-04-17 18:34:01 UTC 
This issue was resolved and addressed in
 GLSA 201904-19 at https://security.gentoo.org/glsa/201904-19
by GLSA coordinator Aaron Bauman (b-man).