Detections
Analytics

FreeBSD : mail/dovecot -- Suitable client certificate can be used to login as other user (1340fcc1-2953-11e9-bc44-a4badb296695)

medium Nessus Plugin ID 121604

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Aki Tuomi (Open-Xchange Oy) reports :

Normally Dovecot is configured to authenticate imap/pop3/managesieve/submission clients using regular username/password combination. Some installations have also required clients to present a trusted SSL certificate on top of that. It's also possible to configure Dovecot to take the username from the certificate instead of from the user provided authentication. It's also possible to avoid having a password at all, only trusting the SSL certificate.

If the provided trusted SSL certificate is missing the username field, Dovecot should be failing the authentication. However, the earlier versions will take the username from the user provided authentication fields (e.g. LOGIN command). If there is no additional password verification, this allows the attacker to login as anyone else in the system.

This affects only installations using :

auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes

Attacker must also have access to a valid trusted certificate without the ssl_cert_username_field in it. The default is commonName, which almost certainly exists in all certificates. This could happen for example if ssl_cert_username_field is a field that normally doesn't exist, and attacker has access to a web server's certificate (and key), which is signed with the same CA.

Attack can be migitated by having the certificates with proper Extended Key Usage, such as 'TLS Web Server' and 'TLS Web Server Client'.

Also, ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This does not apply to Dovecot Submission service.

Solution

Update the affected package.

See Also

https://www.mail-archive.com/[email protected]/msg76117.html

http://www.nessus.org/u?d9e599d0

Plugin Details

Severity: Medium

ID: 121604

File Name: freebsd_pkg_1340fcc1295311e9bc44a4badb296695.nasl

Version: 1.3

Type: local

Published: 2/6/2019

Updated: 2/20/2020

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:dovecot, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 2/5/2019

Vulnerability Publication Date: 1/16/2019

Reference Information

CVE: CVE-2019-3814