We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot (CVE-2016-8562) CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H) Affected version(s): 2.2.25.1 up to 2.2.26.1 Fixed in: 2.2.27.1rc1 Short summary: Dovecot auth component can be crashed by remote user when auth-policy component is activated. If auth-policy component has been activated in Dovecot, then remote user can use SASL authentication to crash auth component. Workaround is to disable auth-policy component until fix is in place. This can be done by commenting out all auth_policy_* settings. Aki Tuomi Dovecot oy
On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote:> We are sorry to report that we have a bug in dovecot, which merits a > CVE. See details below. If you haven't configured any auth_policy_* > settings you are ok. This is fixed with > git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13 > a5a725ae and > git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c6 > 7a8612fc > > Important vulnerability in Dovecot (CVE-2016-8562)Are you sure about the CVE number? According to Debian [1] and mitre [2], it?s for SIEMENS something, not Dovecot. best regards, Jonas Wielicki [1]: security-tracker.debian.org/tracker/CVE-2016-8562 [2]: cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8562 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <dovecot.org/pipermail/dovecot/attachments/20161202/5ecfd064/attachment.sig>
On 02.12.2016 10:45, Jonas Wielicki wrote:> On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote: >> We are sorry to report that we have a bug in dovecot, which merits a >> CVE. See details below. If you haven't configured any auth_policy_* >> settings you are ok. This is fixed with >> git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13 >> a5a725ae and >> git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c6 >> 7a8612fc >> >> Important vulnerability in Dovecot (CVE-2016-8562) > Are you sure about the CVE number? According to Debian [1] and mitre [2], it?s > for SIEMENS something, not Dovecot. > > best regards, > Jonas Wielicki > > [1]: security-tracker.debian.org/tracker/CVE-2016-8562 > [2]: cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8562Ups, sent wrong number, correct is CVE-2016-8652. Aki
Am 02.12.2016 um 08:00 schrieb Aki Tuomi:> Workaround is to disable auth-policy component until fix is in place. > This can be done by commenting out all auth_policy_* settings.Hello, could you be more verbose on how to verify if administrators are affected? # doveconf -n | grep auth_policy_ | wc -l 0 but there /are/ default settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = Is such setup vulnerable? Thanks for clarification, Andreas
> On December 2, 2016 at 7:50 PM "A. Schulze" <sca at andreasschulze.de> wrote: > > > > > Am 02.12.2016 um 08:00 schrieb Aki Tuomi: > > Workaround is to disable auth-policy component until fix is in place. > > This can be done by commenting out all auth_policy_* settings. > > Hello, > > could you be more verbose on how to verify if administrators are affected? > > # doveconf -n | grep auth_policy_ | wc -l > 0 > > but there /are/ default settings: > # doveconf -d | grep auth_policy_ > auth_policy_hash_mech = sha256 > auth_policy_hash_nonce = > auth_policy_hash_truncate = 12 > auth_policy_reject_on_fail = no > auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} > auth_policy_server_api_header = > auth_policy_server_timeout_msecs = 2000 > auth_policy_server_url = > > Is such setup vulnerable? > > Thanks for clarification, > AndreasYour setup is not vulnerable, the critical values are auth_policy_server_url and auth_policy_hash_nonce. Those are unset in your config. Aki
* Aki Tuomi schrieb am 02.12.16 um 08:00 Uhr: Hi Aki,> We are sorry to report that we have a bug in dovecot, which merits a > CVE. See details below. If you haven't configured any auth_policy_* > settings you are ok. This is fixed with > git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae > and > git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc > > Important vulnerability in Dovecot (CVE-2016-8562) > CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H) > Affected version(s): 2.2.25.1 up to 2.2.26.1 > Fixed in: 2.2.27.1rc1I think either it should read "up to 2.2.27" or "Fixed in: 2.2.27" Or how about version 2.2.27? (without .1) TIA -Marc -- [*] sys4 AG sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 05.12.2016 09:53, Marc Schiffbauer wrote:> * Aki Tuomi schrieb am 02.12.16 um 08:00 Uhr: > > Hi Aki, > >> We are sorry to report that we have a bug in dovecot, which merits a >> CVE. See details below. If you haven't configured any auth_policy_* >> settings you are ok. This is fixed with >> git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae >> and >> git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc >> >> Important vulnerability in Dovecot (CVE-2016-8562) >> CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H) >> Affected version(s): 2.2.25.1 up to 2.2.26.1 >> Fixed in: 2.2.27.1rc1 > I think either it should read "up to 2.2.27" > or > "Fixed in: 2.2.27" > > Or how about version 2.2.27? (without .1) > > TIA > -Marc >I guess so, we'll take note of this. Aki