Bug 1028589 - (CVE-2013-6171) CVE-2013-6171 dovecot: passdb checkpassword authentication local bypass
CVE-2013-6171 dovecot: passdb checkpassword authentication local bypass
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20131103,reported=2...
: Security
Depends On:
Blocks: 1028590
  Show dependency treegraph
 
Reported: 2013-11-08 15:04 EST by Kurt Seifried
Modified: 2014-06-13 06:17 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 06:17:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-11-08 15:04:46 EST
Timo Sirainen reports:

Some usage of passdb checkpassword could have been exploitable by
local users. You may need to modify your setup to keep it working.
See http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security

From the dovecot wiki:

Security

The standard checkpassword design is incompatible with Dovecot's security 
model. If the system has local users and the checkpassword script setuid()s 
into a local user, the user is able to ptrace into the communication and 
change the authentication results. This is of course undesirable, so v2.2.7+ 
will just refuse to run in such environments by default. The possibilities to 
solve this are:

If possible, change the checkpassword to return userdb_uid and userdb_gid 
extra fields instead of using setuid() and setgid(). This also improves the 
performance.

If you can't change the script, you can make Dovecot's checkpassword-reply 
binary setuid or setgid (e.g. 
chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply; 
chmod g+s /usr/local/libexec/dovecot/checkpassword-reply)

If you don't have any untrusted local users and you just don't care about this 
check, you can set INSECURE_SETUID=1 environment e.g. with a wrapper 
checkpassword script.

External references:
http://www.dovecot.org/list/dovecot-news/2013-November/000264.html
http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729063
Comment 2 Stefan Cornelius 2014-06-13 06:17:34 EDT
We don't support this. If somebody decides to use this functionality/script, it'll be their responsibility to implement this safely.

Statement:

Not vulnerable. This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 5, 6 and 7.

Note You need to log in before you can comment on or make changes to this bug.