Mailing List Archive: Security alert: disable CRAM-MD5 if you don't use it

Security alert: disable CRAM-MD5 if you don't use it

Dec 19, 2014, 1:55 PM

Post #1 of 9 (2799 views)

Hi all,

It was brought to my attention that dbmail currently authenticates any
user with any password if the client issues an CRAM-MD5 authentication
exchange, while the user - which does need to exist - has it's password
stored in an encrypted format.

This affects all versions supporting cram-md5, so 3.0.0 and later.

Installations using authldap are *not* affected.

You should disable CRAM-MD5 in dbmail.conf if you store password encrypted.

A patch was already pushed to git both on dbmail.eu and github.

I'll release a patched version asap.

--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, skype, linkedin
www.nfg.nl/info@nfg.nl/+31.85.877.99.97
_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

Re: Security alert: disable CRAM-MD5 if you don't use it [ In reply to ]

casper at langemeijer

Dec 20, 2014, 5:53 AM

Post #2 of 9 (2782 views)

On 19-12-14 22:55, Paul J Stevens wrote:
> You should disable CRAM-MD5 in dbmail.conf if you store password encrypted.
ehh.. how? by setting 'capability'?

_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

Re: Security alert: disable CRAM-MD5 if you don't use it [ In reply to ]

mysql.jorge at decimal

Dec 20, 2014, 5:57 AM

Post #3 of 9 (2783 views)

> On 19-12-14 22:55, Paul J Stevens wrote:
> > You should disable CRAM-MD5 in dbmail.conf if you store password
> encrypted.
> ehh.. how? by setting 'capability'?

Hi Casper,

Yes, overwrite capability with the string you get after login, and remote
CRAM-MD5.

_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

Re: Security alert: disable CRAM-MD5 if you don't use it [ In reply to ]

mysql.jorge at decimal

Dec 20, 2014, 5:59 AM

Post #4 of 9 (2781 views)

> Yes, overwrite capability with the string you get after login, and
> remote CRAM-MD5.

Remote = remove :)

_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

Re: Security alert: disable CRAM-MD5 if you don't use it [ In reply to ]

casper at langemeijer

Dec 20, 2014, 6:10 AM

Post #5 of 9 (2782 views)

I imagined the capability string only was the advertised capabilities,
so I checked the source. Nowhere in the dbmail source I see that
CRAM-MD5 is actually disabled, but I could be missing the location.
Could dbmail still authenticate a malicious client?
_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

Re: Security alert: disable CRAM-MD5 if you don't use it [ In reply to ]

Dec 20, 2014, 2:20 PM

Post #6 of 9 (2780 views)

Ok.

Good news: dbmail-3.1 is not affected. Apparently the problem only
occurs in 3.2.0 and 3.2.1. It's definitely a regression.

Bad news: if you use 3.2, you should apply the patch I pushed yesterday.
The workaround offers no real protection, as Caspar correctly surmised.

On 20-12-14 15:10, Casper Langemeijer wrote:
> I imagined the capability string only was the advertised capabilities,
> so I checked the source. Nowhere in the dbmail source I see that
> CRAM-MD5 is actually disabled, but I could be missing the location.
> Could dbmail still authenticate a malicious client?
> _______________________________________________
> DBmail mailing list
> DBmail@dbmail.org
> http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail
>

--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, github, linkedin
www.nfg.nl/info@nfg.nl/+31.85.877.99.97
_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

Re: Security alert: disable CRAM-MD5 if you don't use it [ In reply to ]

lordvan at lordvan

Dec 27, 2014, 9:56 AM

Post #7 of 9 (2757 views)

On 2014-12-20 22:20, Paul J Stevens wrote:
> Ok.
>
>
> Good news: dbmail-3.1 is not affected. Apparently the problem only
> occurs in 3.2.0 and 3.2.1. It's definitely a regression.
>
> Bad news: if you use 3.2, you should apply the patch I pushed
> yesterday.
> The workaround offers no real protection, as Caspar correctly surmised.
>

Hi.

good that my server isn'T busy I only just noticed this now.

@Paul: any chance for a new version soon that I can package up?

also it might be good to create a CVE:
http://www.cvedetails.com/product/3284/Dbmail-Dbmail.html?vendor_id=1941

Regards

_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

Re: Security alert: disable CRAM-MD5 if you don't use it [ In reply to ]

lordvan at lordvan

Dec 27, 2014, 10:07 AM

Post #8 of 9 (2760 views)

On 2014-12-20 22:20, Paul J Stevens wrote:
> Ok.
>
>
> Good news: dbmail-3.1 is not affected. Apparently the problem only
> occurs in 3.2.0 and 3.2.1. It's definitely a regression.
>
> Bad news: if you use 3.2, you should apply the patch I pushed
> yesterday.
> The workaround offers no real protection, as Caspar correctly surmised.
>
>

@paul: I just noticed that the webpage is in need of some attention --
in particular the downloads section lists 3.2.0 as only 3.2 release so
if you could upload 3.2.1 and 3.2.2 that'd be great since I otherwise
have to just patch from 3.2.0 to 3.2.2 in our (gentoo) ebuild.

Regards
_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

Re: Security alert: disable CRAM-MD5 if you don't use it [ In reply to ]

Dec 28, 2014, 2:41 AM

Post #9 of 9 (2758 views)

On 27-12-14 18:56, Thomas Raschbacher wrote:

> also it might be good to create a CVE:
> http://www.cvedetails.com/product/3284/Dbmail-Dbmail.html?vendor_id=1941

I have no idea where to even begin doing that. Looks like a complete
nightmare.

--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, github, linkedin
www.nfg.nl/info@nfg.nl/+31.85.877.99.97
_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail