Bug 1786756 (CVE-2019-19783)

Summary: CVE-2019-19783 cyrus-imapd: lmtpd component created mailboxes with administrator privileges if the "fileinto" was used, bypassing ACL checks
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: code, j, mailinglists, pzhukov, vanmeeuwen+fedora, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cyrus-imapd 2.5.14, cyrus-imapd 3.0.12 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:23:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1786757, 1804047, 1804048    
Bug Blocks: 1786758    

Description Guilherme de Almeida Suckevicz 2019-12-27 17:46:41 UTC 
An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.

References:
https://seclists.org/bugtraq/2019/Dec/38
https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html
Comment 1 Guilherme de Almeida Suckevicz 2019-12-27 17:48:27 UTC 
Created cyrus-imapd tracking bugs for this issue:

Affects: fedora-all [bug 1786757]
Comment 2 Huzaifa S. Sidhpurwala 2020-02-18 05:34:41 UTC 
Analysis:

Sieve scripts allow creation custom mail boxes when "fileinto" directives are used. If a user is not allowed to create a new mail box but is allowed to upload a custom sieve script, then this flaw can be used to bypass this restriction. Since admin privs are used when new mailbox creation is triggerred via the fileinto directive.

lmtpd no longer creates these mailboxes as administrator, so users may no longer use a ‘fileinto’ directive to create a mailbox they couldn’t create otherwise.

Upstream patch: https://github.com/cyrusimap/cyrus-imapd/commit/673ebd96e2efbb8895d08648983377262f35b3f7
Comment 3 Huzaifa S. Sidhpurwala 2020-02-18 05:34:44 UTC 
Mitigation:

This flaw can be mitigated by:
1. In cyrus-imapd >= 2.5 disable anysievefolder (it is disabled by default)
2. In cyrus-imapd >=3.0 disable sieve_extensions
Comment 5 Product Security DevOps Team 2020-11-04 02:23:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19783
Comment 6 errata-xmlrpc 2020-11-04 02:42:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4655 https://access.redhat.com/errata/RHSA-2020:4655