Bug 1028589 (CVE-2013-6171)

Summary: CVE-2013-6171 dovecot: passdb checkpassword authentication local bypass
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: janfrode, jkurik, mhlavink, pfrields
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:17:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1028590    

Description Kurt Seifried 2013-11-08 20:04:46 UTC 
Timo Sirainen reports:

Some usage of passdb checkpassword could have been exploitable by
local users. You may need to modify your setup to keep it working.
See http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security

From the dovecot wiki:

Security

The standard checkpassword design is incompatible with Dovecot's security 
model. If the system has local users and the checkpassword script setuid()s 
into a local user, the user is able to ptrace into the communication and 
change the authentication results. This is of course undesirable, so v2.2.7+ 
will just refuse to run in such environments by default. The possibilities to 
solve this are:

If possible, change the checkpassword to return userdb_uid and userdb_gid 
extra fields instead of using setuid() and setgid(). This also improves the 
performance.

If you can't change the script, you can make Dovecot's checkpassword-reply 
binary setuid or setgid (e.g. 
chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply; 
chmod g+s /usr/local/libexec/dovecot/checkpassword-reply)

If you don't have any untrusted local users and you just don't care about this 
check, you can set INSECURE_SETUID=1 environment e.g. with a wrapper 
checkpassword script.

External references:
http://www.dovecot.org/list/dovecot-news/2013-November/000264.html
http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729063
Comment 2 Stefan Cornelius 2014-06-13 10:17:34 UTC 
We don't support this. If somebody decides to use this functionality/script, it'll be their responsibility to implement this safely.

Statement:

Not vulnerable. This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 5, 6 and 7.