Bug 436928 - (CVE-2008-1218) CVE-2008-1218 dovecot: unauthorized login
CVE-2008-1218 dovecot: unauthorized login
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=osssecurity,reported=20080309,...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-11 03:55 EDT by Tomas Hoger
Modified: 2008-03-13 03:49 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-12 13:27:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-03-11 03:55:29 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1218 to the following vulnerability:

Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and
1.1.x before 1.1.rc3, when using blocking passdbs, allows remote
attackers to bypass the password check via a password containing TAB
characters, which are treated as argument delimiters that enable the
skip_password_check field to be specified.

References:

http://www.dovecot.org/list/dovecot-news/2008-March/000065.html
http://www.dovecot.org/list/dovecot-news/2008-March/000064.html
Comment 1 Tomas Hoger 2008-03-11 04:03:05 EDT
Minimal fix for 1.0 branch:

http://hg.dovecot.org/dovecot-1.0/raw-rev/da2a9372e26e
Comment 3 Tomas Hoger 2008-03-12 06:21:42 EDT
This issue does not affect dovecot version as shipped in Red Hat Enterprise
Linux 4 (it is pre-1.0 version).  This issue can not be used to get
password-less login on dovecot package as shipped in Red Hat Enterprise Linux 5
and Fedora, as that was possible using skip_password_check option used by
internal dovecot inter-process communication protocol, that was only introduced
in version 1.0.11.
Comment 4 Tomas Hoger 2008-03-12 11:39:58 EDT
As mentioned in commnet #3, it was not possible to take advantage of this flaw
to get password-less login with Dovecot shipped in Red Hat Enterprise Linux 5,
due to skip_password_check option not being supported as valid internal
communication protocol issue, as is also noted in the upstream announcement.

This issue affects communication between dovecot-auth process and dedicated
dovecot-auth worker process.

Request where <tab> in the password may cause problems is created by
passdb_blocking_verify_plain() in auth/passdb-blocking.c, calling
auth_request_export() to write request options.

On the other side, worker process parses such request using
auth_request_import() function.  Only options recognized by
auth_request_import(), but not added by auth_request_export(), can be injected.
 There is only one such option - cert_username - which can only override
user-supplied user name.

For other options any value injected by an attacker is overridden in
auth_request_import() by the value supplied by Dovecot (listed in request after
attacker-provided value).  An attacker can possibly cause minor memory leak in
dovecot-auth worker process.  Those worker processes are created and destroyed
(even after some period of inactivity) by master Dovecot process as needed. 
Even if it runs out of memory and crashes, it will be replaced by a new process
when needed.
Comment 5 Tomas Hoger 2008-03-12 13:27:23 EDT
Based on the analysis described in comment #4, we do plan to issue updates
addressing this issue in dovecot packages shipped in Red Hat Enterprise Linux.
Comment 6 Fedora Update System 2008-03-13 03:47:27 EDT
dovecot-1.0.13-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-03-13 03:49:37 EDT
dovecot-1.0.13-18.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.