A SQL injection attack has been discovered in the SQL plugin shipped with Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28. Due to failure to properly escape SQL input, an attacker can execute arbitrary SQL commands. This can allow, among other things, the ability to change the passwords for other accounts allowing escalation of privileges. The issue is in sql_auxprop_store, plugins/sql.c, and in particular the 5th parameter of sql_create_statement for the insert/update SQL command. Currently it takes the value of the property as is, without quoting. If one uses a password containing a closing ' and continues with valid SQL syntax, then exploitation is possible.
Marian, I think it is important to state that an "authenticated remote attacker" is needed, as this flaw occurs only on password change and I believe you need to be authenticated to perform it.
Ref: https://github.com/cyrusimap/cyrus-sasl/releases/tag/cyrus-sasl-2.1.28 https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28
Created cyrus-sasl tracking bugs for this issue: Affects: fedora-all [bug 2057334]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0658 https://access.redhat.com/errata/RHSA-2022:0658
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0668 https://access.redhat.com/errata/RHSA-2022:0668
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0666 https://access.redhat.com/errata/RHSA-2022:0666
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0730 https://access.redhat.com/errata/RHSA-2022:0730
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0731 https://access.redhat.com/errata/RHSA-2022:0731
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2022:0780 https://access.redhat.com/errata/RHSA-2022:0780
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2022:0841 https://access.redhat.com/errata/RHSA-2022:0841
This issue has been addressed in the following products: RHINT Camel-K 1.6.4 Via RHSA-2022:1029 https://access.redhat.com/errata/RHSA-2022:1029
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2022:1263 https://access.redhat.com/errata/RHSA-2022:1263
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24407