-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 01 20050209 ================================ Package: kolab Vulnerability: privilege escalation Kolab Specific: yes Dependent Packages: none Summary - ------- The kolab_bootstrap script for the Kolab Server suggested passwords vulnerable to either a dictionary or brute force attacks for the administrative account "manager" and some other internal Kolab users (namely "nobody" and "calendar"). Each of the passwords was chosen from a set of only 4096 possibilities. Possible Effects - ---------------- (A) Only when the suggested manager password was accepted unchanged a remote attacker could get full write access to the Kolab LDAP tree by using either brute force or dictionary attacks. Write access to the Kolab LDAP tree factually means full control of the Kolab server. (B) As the nobody user has no further permissions and is internally only used as an alternative to anonymous binding, this will not leak sensible information when the password is successfully tested. (C) Kolab users giving the Kolab calendar user write permissions on their folders are vulnerable to having their calendar folders accessible by an attacker. The calendar user was introduced 20041014 in the Kolab 2 development branch and is not used in any of the Kolab 1 servers. Servers that have problem (A) and (B): Kolab 1 Server: before 20041213 (version 1.0.25 is safe) OpenPKG (independent of with_genuine setting) CURRENT kolab-20040503-20041207 RELEASE 2.2 kolab-20040503-2.2.0 RELEASE 2.1 kolab-20040503-2.1.0 Kolab 1 Server Mandrake: versions up to 1.0-0.61mdk Kolab 2 Server: before 20041122 (development branch) Servers that have problem (C): Kolab2 Server: after 20041014 but before 20041123 (development branch) Fixes - ----- The problems with the bootstrapping script (kolab_bootstrap) have been silently fixed in the Kolab 2 development branch since 20041201 and with an Update of Kolab 1 since 20041213. Released packages that contain the fixes: Kolab 1: http://max.kde.org:8080/mirrors/www.erfrakon.de/projects/kolab/download/kolab-server-1.0/src/kolab-1.0-1.0.25.src.rpm OpenPKG (independent of with_genuine setting) CURRENT kolab-20040503-20041214 RELEASE 2.2 kolab-20040503-2.2.1 RELEASE 2.1 kolab-20040503-2.1.1 Mandrake: versions from 0.62mdk on are corrected Kolab 2: Oldest Kolab 2 package with a fix (the beta releases are newer than this): ftp.kolab.org/kolab/server/development/20041201-full/sources/kolabd-1.9.3-20041201.src.rpm How to fix existing installations: 1.) Stop the Kolab server using /kolab/etc/rc.d/rc.kolab stop (Kolab 1 method) or /kolab/etc/rc all stop (Kolab 2 method) (a) New installations of the Kolab 1 server (>= 1.0.25) are not vulnerable to Problem (A) as fixes got incorporated into the current (20041213) package. Please note that the Kolab 2 development is already in late Beta stage. We therefore strongly recommend to go with Kolab 2 for new installations or major renovations. (b) New installations of the Kolab 2 development branch (> 20041122) are not vulnerable to Problem (A) as fixes got incorporated into the current package. (c) Existing installations of Kolab 1 are vulnerable to Problem (A) if the suggested manager password was accepted instead of being manually chosen. This problem can be fixed without the need to upgrade the installation by choosing a more secure manager password manually. Please note that during an update of a Kolab installation the manager password is preserved so that every affected installation is asked to choose a more secure manager password manually. We are assisting this process by proving a kolabpasswd script for Kolab 1. (d) Existing installations of the Kolab 2 development branch are vulnerable to Problem (A) if the suggested manager password was accepted instead of being manually chosen. This problem can be fixed without the need to upgrade the installation by choosing a more secure manager password manually. We are assisting this process by proving a kolabpasswd script for Kolab 2. Due to the fact that Kolab 2 is in Beta we generally recommend to upgrade to the most recent package but during an update the manager password is preserved so that every affected installation is asked to choose a more secure manager password manually. (e) changing the nobody password on existing installations (Kolab 1 and Kolab 2) as a remedy for Flaw (B) using kolabpasswd nobody is optional. We recommend to use the proposed password of kolabpasswd as this password is only for internal use within the Kolab and never needs manual entering. (f) change the calendar password on existing installations vulnerable to Problem (C) using kolabpasswd calendar We recommend to use the proposed password of kolabpasswd as this password is only of internal use and never needs manual entering. 2.) Start the Kolab server using /kolab/etc/rc all start (Kolab 2 method) or /kolab/etc/rc.d/rc.kolab start (Kolab 1 method) Details of the security problem - ------------------------------- kolab_bootstrap used the following commands for suggesting passwords: @@@kolab_prefix@@@/bin/openssl passwd kolab @@@kolab_prefix@@@/bin/openssl passwd nobody @@@kolab_prefix@@@/bin/openssl passwd calendar This is a weak implementation of suggesting password and is subject to brute force and dictionary attacks. The new code looks like @@@kolab_prefix@@@/bin/openssl rand -base64 12 @@@kolab_prefix@@@/bin/openssl rand -base64 30 @@@kolab_prefix@@@/bin/openssl rand -base64 30 Timeline - -------- 20041201 Problem deteced by Bernhard Reiter and Bernhard Herzog from Intevation GmbH. Developers notified. 20041202 Analysis. First fix of the scripts in the Kolab CVS (Kolab 2) and manual recovery instructions. 20041203 Vendors notified 20041213 convenience scripts provided (kolabpasswd) by Martin Konold and Tassilo Erlewein from erfrakon 20041213 Kolab 1 update package available 20041214 Updated Kolab 1 OpenPKG packages available (Thomas Lotterer) 20050209 Kolab security advisory published -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCClPf0vCiU5+ISsgRAkFhAKD4X7DHhmBlKBMg0xjxWGtJ1pDQmwCfYVvF BxXGUo1bHuuuI5keKRDRQqw= =sPkd -----END PGP SIGNATURE-----