> On 06/07/2022 16:54 EEST Aki Tuomi via Dovecot-news
> wrote:
>
>
> Affected product: Dovecot IMAP Server
> Internal reference: DOV-5320
> Vulnerability type: Improper Access Control (CWE-284)
> Vulnerable version: 2.2
> Vulnerable component: submission
> Report confidence: Confirmed
> Solution status: Fixed in main
> Researcher credits: Julian Brook (julezman)
> Vendor notification: 2022-05-06
> CVE reference: CVE-2022-30550
> CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
>
> Vulnerability Details:
> When two passdb configuration entries exist in Dovecot configuration, which
> have the same driver and args settings, the incorrect username_filter and
> mechanism settings can be applied to passdb definitions. These incorrectly
> applied settings can lead to an unintended security configuration and can
> permit privilege escalation with certain configurations involving master user
> authentication.
>
> Dovecot documentation does not advise against the use of passdb definitions
> which have the same driver and args settings. One such configuration would be
> where an administrator wishes to use the same pam configuration or passwd
> file for both normal and master users but use the username_filter setting to
> restrict which of the users is able to be a master user.
>
> Risk:
> If same passwd file or PAM is used for both normal and master users, it is
> possible for attacker to become master user.
>
> Workaround:
> Always authenticate master users from different source than regular users,
> e.g. using a separate passwd file. Alternatively, you can use global ACLs to
> ensure that only legimate master users have priviledged access.
>
> Fix:
> This has been fixed in main branch. See
> https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch
Two small corrections to this CVE notice... The service impacted is of course
'auth' not 'submission', and the version impacted is from 2.2 to 2.3.19.1.
Aki
___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news
