Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 18 Nov 2011 09:35:32 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Timo Sirainen <tss@....fi>
Subject: Re: CVE Request -- Dovecot -- Validate certificate's
 CN against requested remote server hostname when proxying

On 11/18/2011 06:37 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
>   a security flaw was found in the way Dovecot, an IMAP and POP3 email
> server, performed remote server identity verification (x509
> certificate's Common Name field was not checked to match provided
> remote server host name), when Dovecot was configured to proxy IMAP and
> POP3 connections to remote hosts and TLS/SSL protocols were requested
> (ssl=yes or starttls=yes) in the configuration to secure these
> connections to the destination server. A remote attacker could use
> this flaw to conduct man-in-the-middle (MITM) attacks via specially-
> crafted x509v3 certificate.
>
> References:
> [1] http://www.dovecot.org/list/dovecot-news/2011-November/000200.html
> [2] https://secunia.com/advisories/46886/
> [3] https://bugs.gentoo.org/show_bug.cgi?id=390887
> [4] http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy
>
> Relevant upstream patch:
> [5] http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1
>
> Could you allocate a CVE id for this?
>
> Note: This isn't a 'direct security flaw', in the sense it would be
> discovered / reported at some time point. This behaviour (do not check
> x509v3 cert CN against remote server hostname), when TLS/SSL protocols
> are configured, and the danger of MITM is already described
> on relevant Dovecot's page:
> http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy
>
> thus one could say, for those administrators, who are aware of [4]
> page and configured Dovecot in safe way there is no trust boundary
> crossing and this upstream change is just security hardening.
>
> But on the other hand, this change is important enough, to be
> backported to all affected versions, (regardless to the fact if
> particular administrator has or hasn't read [4]). Thus I would vote
> for a CVE identifier to be assigned to this issue. But opened for
> discussion if someone else (MITRE?) thinks this should be dealt
> with rather as with security hardening, than with a real security
> flaw.
>
> Thank you && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team

Please use CVE-2011-4318  for this issue.

-- 

-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ