dovecot - Oct 2022 - Dovecot mail-crypt webmail can't read encrypted messages

Bingo! Great to see some like-minded person here John!

Yeah, it's such an obvious vulnerability, I'm kinda surprised most 
people here don't see an issue with that. If I were a Dovecot Pro OX 
customer, I'd be very concerned with this "feature".

Imagine hacking Protonmail's server, getting root access and seeing 
customers' password there in clear text? )))

On 2022-10-11 17:38, John Tulp wrote:
> I find this conversation "interesting".
> 
> Serveria, i think some can't see the attack scenario where the
> attacker's goal is simply to get email passwords, and nothing else.  it
> would make sense for their strategy to do nothing else "bad" on
the
> server to attract attention to their intrusion.  In that case, all  
> they
> would do is send back the treasure trove of passwords to their home
> server(s), and sit there, remaining possibly for years, hiding,
> exploiting the fact that dovecot, with no code modification, will allow
> them to grab email passwords.  If a dovecot server has thousands of
> email accounts, that represents thousands of other devices they could
> target, which is worth much more to the attacker than a single dovecot
> server.
> 
> Oh well, food for thought.
> 
> 
> On Tue, 2022-10-11 at 15:11 +0300, Serveria Support wrote:
>> Yes, I realize that. But I can't think of a reason this password is
>> necessary in the logs. It's kind of a backdoor and has to be
removed
>> from code. Why make intruder's life easier?
>> 
>> On 2022-10-11 13:39, Arjen de Korte wrote:
>> > Citeren Serveria Support <support at serveria.com>:
>> >
>> >> Yes, there is a tiny problem letting the attacker change this
value
>> >> back to yes and instantly get access to users' passwords
in plain
>> >> text. Apart from that - no problems at all. :)
>> >
>> > If an attacker is able to modify your Dovecot configuration, you
have
>> > bigger problems than leaking your users' password. Much
bigger...

I find this conversation "interesting".

Serveria, i think some can't see the attack scenario where the
attacker's goal is simply to get email passwords, and nothing else.  it
would make sense for their strategy to do nothing else "bad" on the
server to attract attention to their intrusion.  In that case, all  they
would do is send back the treasure trove of passwords to their home
server(s), and sit there, remaining possibly for years, hiding,
exploiting the fact that dovecot, with no code modification, will allow
them to grab email passwords.  If a dovecot server has thousands of
email accounts, that represents thousands of other devices they could
target, which is worth much more to the attacker than a single dovecot
server.

Oh well, food for thought.


On Tue, 2022-10-11 at 15:11 +0300, Serveria Support
wrote:
> Yes, I realize that. But I can't think of a reason this password is 
> necessary in the logs. It's kind of a backdoor and has to be removed 
> from code. Why make intruder's life easier?
> 
> On 2022-10-11 13:39, Arjen de Korte wrote:
> > Citeren Serveria Support <support at serveria.com>:
> > 
> >> Yes, there is a tiny problem letting the attacker change this
value
> >> back to yes and instantly get access to users' passwords in
plain
> >> text. Apart from that - no problems at all. :)
> > 
> > If an attacker is able to modify your Dovecot configuration, you have
> > bigger problems than leaking your users' password. Much bigger...

@Tulp - the attacker has to 0wn your server first. In which case they
will have found a password to SSH in - regardless of dovecot being there or
not.
You will be dealing with a bigger problem than dovecot.


On Tue, Oct 11, 2022 at 5:39 PM John Tulp <johntulp at tulpholdings.com>
wrote:
> I find this conversation "interesting".
>
> Serveria, i think some can't see the attack scenario where the
> attacker's goal is simply to get email passwords, and nothing else.  it
> would make sense for their strategy to do nothing else "bad" on
the
> server to attract attention to their intrusion.  In that case, all  they
> would do is send back the treasure trove of passwords to their home
> server(s), and sit there, remaining possibly for years, hiding,
> exploiting the fact that dovecot, with no code modification, will allow
> them to grab email passwords.  If a dovecot server has thousands of
> email accounts, that represents thousands of other devices they could
> target, which is worth much more to the attacker than a single dovecot
> server.
>
> Oh well, food for thought.
>
>
> On Tue, 2022-10-11 at 15:11 +0300, Serveria Support wrote:
> > Yes, I realize that. But I can't think of a reason this password
is
> > necessary in the logs. It's kind of a backdoor and has to be
removed
> > from code. Why make intruder's life easier?
> >
> > On 2022-10-11 13:39, Arjen de Korte wrote:
> > > Citeren Serveria Support <support at serveria.com>:
> > >
> > >> Yes, there is a tiny problem letting the attacker change this
value
> > >> back to yes and instantly get access to users' passwords
in plain
> > >> text. Apart from that - no problems at all. :)
> > >
> > > If an attacker is able to modify your Dovecot configuration, you
have
> > > bigger problems than leaking your users' password. Much
bigger...
>
>
-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ?\_(?)_/? :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20221011/a2609576/attachment-0001.htm>