Bug 1123022 - (CVE-2019-3814) VUL-0: CVE-2019-3814: dovecot: Vulnerability in Dovecot related to SSL client certificate authentication
(CVE-2019-3814)
VUL-0: CVE-2019-3814: dovecot: Vulnerability in Dovecot related to SSL client...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/223684/
CVSSv3:SUSE:CVE-2019-3814:8.2:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-24 10:55 UTC by Karol Babioch
Modified: 2019-07-22 14:38 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2019-01-24 10:55:22 UTC
CVE-2019-3814 via distros

---
|We have been made aware of vulnerability in Dovecot related to SSL
client certificate authentication. Normally Dovecot is configured to
authenticate imap/pop3/managesieve/submission clients using regular
username/password combination. Some installations have also required
clients to present a trusted SSL certificate on top of that. It's also
possible to configure Dovecot to take the username from the certificate
instead of from the user provided authentication. It's also possible to
avoid having a password at all, only trusting the SSL certificate. If
the provided trusted SSL certificate is missing the username field,
Dovecot should be failing the authentication. However, the earlier
versions will take the username from the user provided authentication
fields (e.g. LOGIN command). If there is no additional password
verification, this allows the attacker to login as anyone else in the
system. This affects only installations using: *
ssl_client_require_valid_cert = yes * auth_ssl_username_from_cert = yes
Attacker must also have access to a valid trusted certificate without
the ssl_cert_username_field in it. The default is commonName, which
usually exists in all certificates. Also, ssl_cert_username_field
setting was ignored with external SMTP AUTH, because none of the MTAs
(Postfix, Exim) currently send the cert_username field. This may have
allowed users with trusted certificate to specify any username in the
authentication. Does not apply to Dovecot Submission service. CVSS
Score: 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N) This bug affects all
Dovecot relases between v1.1.0 and v2.3.4. This issue will be made
public on 5.2.2019, when we release 2.2.36.1 and 2.3.4.1. Please find
patch-sets attached for 2.3 and 2.2 lineage of dovecot.||--- Aki Tuomi Open-Xchange Oy|
---

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3814
Comment 2 Karol Babioch 2019-01-24 10:59:10 UTC
CRD: 2019-02-05
Comment 3 Karol Babioch 2019-01-24 10:59:34 UTC
Follow-up message via distros:

===
Sorry for the garbled message, seems my client did something really
stupid when sending this...

We have been made aware of vulnerability in Dovecot related to SSL
client certificate authentication.

Normally Dovecot is configured to authenticate
imap/pop3/managesieve/submission clients using regular username/password
combination. Some installations have also required clients to present a
trusted SSL certificate on top of that. It's also possible to configure
Dovecot to take the username from the certificate instead of from the
user provided authentication. It's also possible to avoid having a
password at all, only trusting the SSL certificate.

If the provided trusted SSL certificate is missing the username field,
Dovecot should be failing the authentication. However, the earlier
versions will take the username from the user provided authentication
fields (e.g. LOGIN command). If there is no additional password
verification, this allows the attacker to login as anyone else in the
system.

This affects only installations using:

  * auth_ssl_client_require_valid_cert = yes
  * auth_ssl_username_from_cert = yes

Attacker must also have access to a valid trusted certificate without
the ssl_cert_username_field in it. The default is commonName, which
almost certainly exists in all certificates.

Also, ssl_cert_username_field setting was ignored with external SMTP
AUTH, because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. Does not
apply to Dovecot Submission service.

CVSS Score: 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)

This bug affects all Dovecot relases between v1.1.0 and v2.3.4.

This issue will be made public on 5.2.2019, when we release 2.2.36.1 and
2.3.4.1.

Please find patch-sets attached for 2.3 and 2.2 lineage of dovecot.

---
Aki Tuomi
Open-Xchange Oy
===
Comment 4 Karol Babioch 2019-01-24 11:55:41 UTC
Created attachment 795240 [details]
cve-2019-3814-dovecot-2.3.tgz
Comment 5 Karol Babioch 2019-01-24 11:56:03 UTC
Created attachment 795241 [details]
cve-2019-3814-dovecot-2.2.tgz
Comment 6 Karol Babioch 2019-01-24 11:56:22 UTC
Patches are attached.
Comment 7 Bernhard Wiedemann 2019-02-03 19:35:08 UTC
This is an autogenerated message for IBS integration:
This bug (1123022) was mentioned in
https://build.suse.de/request/show/183500 SLE-15 / dovecot23
https://build.suse.de/request/show/183501 SLE-12 / dovecot22
Comment 8 Swamp Workflow Management 2019-02-05 15:30:10 UTC
This is an autogenerated message for OBS integration:
This bug (1123022) was mentioned in
https://build.opensuse.org/request/show/671912 Factory / dovecot23
Comment 9 Swamp Workflow Management 2019-02-15 11:10:41 UTC
SUSE-SU-2019:0414-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1119850,1123022,1124356
CVE References: CVE-2019-3814
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    dovecot23-2.3.3-4.7.4
Comment 10 Swamp Workflow Management 2019-02-25 23:10:19 UTC
openSUSE-SU-2019:0243-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1119850,1123022,1124356
CVE References: CVE-2019-3814
Sources used:
openSUSE Leap 15.0 (src):    dovecot23-2.3.3-lp150.3.3.1
Comment 12 Swamp Workflow Management 2019-04-08 13:31:12 UTC
SUSE-SU-2019:0900-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1111789,1123022,1130116
CVE References: CVE-2019-3814,CVE-2019-7524
Sources used:
SUSE OpenStack Cloud 7 (src):    dovecot22-2.2.31-19.14.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    dovecot22-2.2.31-19.14.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    dovecot22-2.2.31-19.14.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    dovecot22-2.2.31-19.14.2
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    dovecot22-2.2.31-19.14.2
SUSE Linux Enterprise Server 12-SP4 (src):    dovecot22-2.2.31-19.14.2
SUSE Linux Enterprise Server 12-SP3 (src):    dovecot22-2.2.31-19.14.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    dovecot22-2.2.31-19.14.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    dovecot22-2.2.31-19.14.2
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    dovecot22-2.2.31-19.14.2
SUSE Linux Enterprise Server 12-LTSS (src):    dovecot22-2.2.31-19.14.2
SUSE Enterprise Storage 4 (src):    dovecot22-2.2.31-19.14.2

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 13 Peter Varkoly 2019-04-15 07:49:04 UTC
Update released.
Comment 14 Swamp Workflow Management 2019-04-17 10:24:16 UTC
openSUSE-SU-2019:1220-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1111789,1123022,1130116
CVE References: CVE-2019-3814,CVE-2019-7524
Sources used:
openSUSE Leap 42.3 (src):    dovecot22-2.2.31-2.12.1
Comment 17 Alexander Bergmann 2019-07-22 09:24:42 UTC
Closing bug as fixed.