Re: CVE-2016-8562 in dovecot

2016-12-05 Thread Aki Tuomi 


On 05.12.2016 09:53, Marc Schiffbauer wrote:
> * Aki Tuomi schrieb am 02.12.16 um 08:00 Uhr:
>
> Hi Aki,
>
>> We are sorry to report that we have a bug in dovecot, which merits a
>> CVE. See details below. If you haven't configured any auth_policy_*
>> settings you are ok. This is fixed with
>> https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae
>> and
>> https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc
>>
>> Important vulnerability in Dovecot (CVE-2016-8562)
>> CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H)
>> Affected version(s): 2.2.25.1 up to 2.2.26.1
>> Fixed in: 2.2.27.1rc1
> I think either it should read "up to 2.2.27"
> or
> "Fixed in: 2.2.27"
>
> Or how about version 2.2.27? (without .1)
>
> TIA
> -Marc
>

I guess so, we'll take note of this.

Aki

Re: CVE-2016-8562 in dovecot

2016-12-04 Thread Marc Schiffbauer 
* Aki Tuomi schrieb am 02.12.16 um 08:00 Uhr:

Hi Aki,

> We are sorry to report that we have a bug in dovecot, which merits a
> CVE. See details below. If you haven't configured any auth_policy_*
> settings you are ok. This is fixed with
> https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae
> and
> https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc
> 
> Important vulnerability in Dovecot (CVE-2016-8562)
> CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H)
> Affected version(s): 2.2.25.1 up to 2.2.26.1
> Fixed in: 2.2.27.1rc1

I think either it should read "up to 2.2.27"
or
"Fixed in: 2.2.27"

Or how about version 2.2.27? (without .1)

TIA
-Marc

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: CVE-2016-8562 in dovecot

2016-12-02 Thread Aki Tuomi 

> On December 2, 2016 at 7:50 PM "A. Schulze"  wrote:
> 
> 
> 
> 
> Am 02.12.2016 um 08:00 schrieb Aki Tuomi:
> > Workaround is to disable auth-policy component until fix is in place.
> > This can be done by commenting out all auth_policy_* settings.
> 
> Hello,
> 
> could you be more verbose on how to verify if administrators are affected?
> 
> # doveconf -n | grep auth_policy_ | wc -l
> 0
> 
> but there /are/ default settings:
> # doveconf -d | grep auth_policy_
> auth_policy_hash_mech = sha256
> auth_policy_hash_nonce = 
> auth_policy_hash_truncate = 12
> auth_policy_reject_on_fail = no
> auth_policy_request_attributes = login=%{orig_username} 
> pwhash=%{hashed_password} remote=%{real_rip}
> auth_policy_server_api_header = 
> auth_policy_server_timeout_msecs = 2000
> auth_policy_server_url = 
> 
> Is such setup vulnerable?
> 
> Thanks for clarification,
> Andreas

Your setup is not vulnerable, the critical values are auth_policy_server_url 
and auth_policy_hash_nonce. Those are unset in your config.

Aki

Re: CVE-2016-8562 in dovecot

2016-12-02 Thread A. Schulze 


Am 02.12.2016 um 08:00 schrieb Aki Tuomi:
> Workaround is to disable auth-policy component until fix is in place.
> This can be done by commenting out all auth_policy_* settings.

Hello,

could you be more verbose on how to verify if administrators are affected?

# doveconf -n | grep auth_policy_ | wc -l
0

but there /are/ default settings:
# doveconf -d | grep auth_policy_
auth_policy_hash_mech = sha256
auth_policy_hash_nonce = 
auth_policy_hash_truncate = 12
auth_policy_reject_on_fail = no
auth_policy_request_attributes = login=%{orig_username} 
pwhash=%{hashed_password} remote=%{real_rip}
auth_policy_server_api_header = 
auth_policy_server_timeout_msecs = 2000
auth_policy_server_url = 

Is such setup vulnerable?

Thanks for clarification,
Andreas

Re: CVE-2016-8562 in dovecot

2016-12-02 Thread Jonas Wielicki 
On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote:
> We are sorry to report that we have a bug in dovecot, which merits a
> CVE. See details below. If you haven't configured any auth_policy_*
> settings you are ok. This is fixed with
> https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13
> a5a725ae and
> https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c6
> 7a8612fc
> 
> Important vulnerability in Dovecot (CVE-2016-8562)

Are you sure about the CVE number? According to Debian [1] and mitre [2], it’s 
for SIEMENS something, not Dovecot.

best regards,
Jonas Wielicki

   [1]: https://security-tracker.debian.org/tracker/CVE-2016-8562
   [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8562

signature.asc
Description: This is a digitally signed message part.

CVE-2016-8562 in dovecot

2016-12-01 Thread Aki Tuomi 
We are sorry to report that we have a bug in dovecot, which merits a
CVE. See details below. If you haven't configured any auth_policy_*
settings you are ok. This is fixed with
https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae
and
https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc

Important vulnerability in Dovecot (CVE-2016-8562)
CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H)
Affected version(s): 2.2.25.1 up to 2.2.26.1
Fixed in: 2.2.27.1rc1

Short summary: Dovecot auth component can be crashed by remote user when
auth-policy component is activated.

If auth-policy component has been activated in Dovecot, then remote user
can use SASL authentication to crash auth component.

Workaround is to disable auth-policy component until fix is in place.
This can be done by commenting out all auth_policy_* settings.

Aki Tuomi
Dovecot oy