Bug 1775177 (CVE-2019-18928)

Summary: CVE-2019-18928 cyrus-imapd: privilege escalation in HTTP request
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: code, j, mailinglists, pzhukov, vanmeeuwen+fedora, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cyrus-imap 2.5.14, cyrus-imap 3.0.12 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:23:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1775179, 1781641    
Bug Blocks: 1775178    

Description Dhananjay Arunesh 2019-11-21 14:26:34 UTC 
A vulnerability was found in Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.

Reference:
https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html
Comment 1 Dhananjay Arunesh 2019-11-21 14:27:14 UTC 
Created cyrus-imapd tracking bugs for this issue:

Affects: fedora-all [bug 1775179]
Comment 2 Stefan Cornelius 2019-11-22 11:09:20 UTC 
External References:

https://github.com/cyrusimap/cyrus-imapd/issues/2904
Comment 3 Stefan Cornelius 2019-12-10 10:54:54 UTC 
Statement:

If HTTP is enabled (e.g. RSS, CalDAV), cyrus-imapd does not properly authenticate a HTTP request coming through a connection that has been previously authenticated. Usually, this is not a problem, as each user will have their own connection and a breach of security boundaries would not be possible. An exception to this rule is if the cyrus-imapd HTTP service is behind a proxy, for example a reverse caching proxy, and said proxy reuses the same connection to cyrus-imapd for multiple requests.
Comment 4 Stefan Cornelius 2019-12-10 10:57:11 UTC 
Patch:
https://github.com/cyrusimap/cyrus-imapd/commit/602f12ed2af0a49ac4a58affbfea57d0fc23dea5
https://github.com/cyrusimap/cyrus-imapd/commit/6703ff881b6056e0c045a7b795ce8ba1bbb87027
Comment 6 Product Security DevOps Team 2020-11-04 02:23:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-18928
Comment 7 errata-xmlrpc 2020-11-04 02:42:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4655 https://access.redhat.com/errata/RHSA-2020:4655