svn commit: r492242 - head/security/vuxml

Larry Rosenman ler at FreeBSD.org
Tue Feb 5 14:39:14 UTC 2019 

Author: ler
Date: Tue Feb  5 14:39:13 2019
New Revision: 492242
URL: https://svnweb.freebsd.org/changeset/ports/492242

Log:
  mail/dovecot: Suitable client certificate can be used to login as other user
  
  update vuxml

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Feb  5 14:34:26 2019	(r492241)
+++ head/security/vuxml/vuln.xml	Tue Feb  5 14:39:13 2019	(r492242)
@@ -58,6 +58,66 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="1340fcc1-2953-11e9-bc44-a4badb296695">
+    <topic>mail/dovecot -- Suitable client certificate can be used to login as other user</topic>
+    <affects>
+      <package>
+	<name>dovecot</name>
+	<range><lt>2.3.4.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>SO-AND-SO reports:</p>
+	<blockquote cite="https://www.mail-archive.com/dovecot@dovecot.org/msg76117.html">
+	  <p>Normally Dovecot is configured to authenticate
+imap/pop3/managesieve/submission clients using regular username/password
+combination. Some installations have also required clients to present a
+trusted SSL certificate on top of that. It's also possible to configure
+Dovecot to take the username from the certificate instead of from the
+user provided authentication. It's also possible to avoid having a
+password at all, only trusting the SSL certificate.
+
+If the provided trusted SSL certificate is missing the username field,
+Dovecot should be failing the authentication. However, the earlier
+versions will take the username from the user provided authentication
+fields (e.g. LOGIN command). If there is no additional password
+verification, this allows the attacker to login as anyone else in the
+system.
+
+This affects only installations using:
+
+auth_ssl_require_client_cert = yes
+auth_ssl_username_from_cert = yes
+
+Attacker must also have access to a valid trusted certificate without
+the ssl_cert_username_field in it. The default is commonName, which
+almost certainly exists in all certificates. This could happen for
+example if ssl_cert_username_field is a field that normally doesn't
+exist, and attacker has access to a web server's certificate (and key),
+which is signed with the same CA.
+
+Attack can be migitated by having the certificates with proper Extended
+Key Usage, such as 'TLS Web Server' and 'TLS Web Server Client'.
+
+Also, ssl_cert_username_field setting was ignored with external SMTP
+AUTH, because none of the MTAs (Postfix, Exim) currently send the
+cert_username field. This may have allowed users with trusted
+certificate to specify any username in the authentication. This does not
+apply to Dovecot Submission service.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://www.mail-archive.com/dovecot@dovecot.org/msg76117.html</url>
+      <cvename>CVE-2019-3814</cvename>
+    </references>
+    <dates>
+      <discovery>2019-01-16</discovery>
+      <entry>2019-02-05</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="5d8c0876-2716-11e9-9446-b7f8544ce15c">
     <topic>typo3 -- multiple vulnerabilities</topic>
     <affects>

More information about the svn-ports-all mailing list