perdition: CVE-2013-4584: ssl_outgoing_ciphers not applied to STARTTLS connections

Debian Bug report logs - #729028
perdition: CVE-2013-4584: ssl_outgoing_ciphers not applied to STARTTLS connections

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: submit@bugs.debian.org

Subject: perdition: ssl_outgoing_ciphers not applied to STARTTLS connections

Date: Thu, 07 Nov 2013 23:31:16 -0500

[Message part 1 (text/plain, inline)]

Package: perdition
Version: 1.19~rc4-2
Control: found -1 1.19~rc5-1 
Control: found -1 2.0-1
Tags: patch security upstream
Forwarded: perdition-users@vergenet.net

Perdition(8) says:

        --ssl_outgoing_ciphers STRING:

              Cipher list when making outgoing SSL or TLS connections as
              per ciphers(1). If empty ("") then openssl's default will
              be used.  (default "")

However, this is only the case for outgoing connections that do not use
STARTTLS (the perdition terminology is confusing here, since what it
calls "TLS" actually means "start as cleartext, negotiate to encrypted
via STARTTLS" and what it calls "SSL" actually means "start SSL or TLS
session, run service inside that").

Here's the fix:

diff -r 046a7b19cd5b perdition/perdition.c
--- a/perdition/perdition.c	Thu Nov 07 21:23:31 2013 -0500
+++ b/perdition/perdition.c	Thu Nov 07 21:49:39 2013 -0500
@@ -985,7 +985,7 @@
     else if((opt.ssl_mode & SSL_MODE_TLS_OUTGOING) &&
           (status & PROTOCOL_S_STARTTLS)) {
       server_io=perdition_ssl_client_connection(server_io, opt.ssl_ca_file, 
-		      opt.ssl_ca_path, opt.ssl_listen_ciphers, servername);
+		      opt.ssl_ca_path, opt.ssl_outgoing_ciphers, servername);
       if(!server_io) {
         VANESSA_LOGGER_DEBUG("perdition_ssl_connection outgoing");
         VANESSA_LOGGER_ERR("Fatal error establishing SSL connection");


This is a security concern because it means that perdition is not
obeying the specifications of the administrator, and may accept weaker
ciphersuites than instructed on its backhaul connections.

Consider the case where an administrator wants to offer relatively
promiscuous IMAP connections to their end users -- if the user's MUA
only has some weak cipher suite or cleartext IMAP, we want to accept the
weak ciphersuite as better than nothing.  However, the admin's backend
IMAP servers are all under her control, and she knows that they are
capable of stronger ciphersuites.  in this case, ssl_listen_ciphers will
allow weak ciphers, and ssl_outgoing_ciphers will be strict and require
high security, to at least protect the link between perdition and the
backend IMAP server.

However, if this outgoing connection happens to use IMAP+STARTTLS
instead of IMAPS, the bug described here will offer weak ciphersuites to
the backend IMAP server.

All versions of perdition in debian currently have this flaw.  I've
reported it to the upstream mailing list, but for whatever reason the
message hasn't cleared that mailing list yet.

Regards, 

         --dkg

[Message part 2 (application/pgp-signature, inline)]

Message #14 received at 729028@bugs.debian.org (full text, mbox, reply):

From: Simon Horman <horms@verge.net.au>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 729028@bugs.debian.org

Subject: Re: Bug#729028: perdition: ssl_outgoing_ciphers not applied to STARTTLS connections

Date: Wed, 13 Nov 2013 13:04:07 +0900

[Message part 1 (text/plain, inline)]

On Thu, Nov 07, 2013 at 11:31:16PM -0500, Daniel Kahn Gillmor wrote:
> Package: perdition
> Version: 1.19~rc4-2
> Control: found -1 1.19~rc5-1 
> Control: found -1 2.0-1
> Tags: patch security upstream
> Forwarded: perdition-users@vergenet.net
> 
> Perdition(8) says:
> 
>         --ssl_outgoing_ciphers STRING:
> 
>               Cipher list when making outgoing SSL or TLS connections as
>               per ciphers(1). If empty ("") then openssl's default will
>               be used.  (default "")
> 
> However, this is only the case for outgoing connections that do not use
> STARTTLS (the perdition terminology is confusing here, since what it
> calls "TLS" actually means "start as cleartext, negotiate to encrypted
> via STARTTLS" and what it calls "SSL" actually means "start SSL or TLS
> session, run service inside that").
> 
> Here's the fix:
> 
> diff -r 046a7b19cd5b perdition/perdition.c
> --- a/perdition/perdition.c	Thu Nov 07 21:23:31 2013 -0500
> +++ b/perdition/perdition.c	Thu Nov 07 21:49:39 2013 -0500
> @@ -985,7 +985,7 @@
>      else if((opt.ssl_mode & SSL_MODE_TLS_OUTGOING) &&
>            (status & PROTOCOL_S_STARTTLS)) {
>        server_io=perdition_ssl_client_connection(server_io, opt.ssl_ca_file, 
> -		      opt.ssl_ca_path, opt.ssl_listen_ciphers, servername);
> +		      opt.ssl_ca_path, opt.ssl_outgoing_ciphers, servername);
>        if(!server_io) {
>          VANESSA_LOGGER_DEBUG("perdition_ssl_connection outgoing");
>          VANESSA_LOGGER_ERR("Fatal error establishing SSL connection");
> 
> 
> This is a security concern because it means that perdition is not
> obeying the specifications of the administrator, and may accept weaker
> ciphersuites than instructed on its backhaul connections.
> 
> Consider the case where an administrator wants to offer relatively
> promiscuous IMAP connections to their end users -- if the user's MUA
> only has some weak cipher suite or cleartext IMAP, we want to accept the
> weak ciphersuite as better than nothing.  However, the admin's backend
> IMAP servers are all under her control, and she knows that they are
> capable of stronger ciphersuites.  in this case, ssl_listen_ciphers will
> allow weak ciphers, and ssl_outgoing_ciphers will be strict and require
> high security, to at least protect the link between perdition and the
> backend IMAP server.
> 
> However, if this outgoing connection happens to use IMAP+STARTTLS
> instead of IMAPS, the bug described here will offer weak ciphersuites to
> the backend IMAP server.
> 
> All versions of perdition in debian currently have this flaw.  I've
> reported it to the upstream mailing list, but for whatever reason the
> message hasn't cleared that mailing list yet.


Hi Daniel,

thanks for bringing this to my attention and sorry
for not noticing the mailing list post: I'm not suer what happened there.

I think that the best thing to do is both:
* Update the Debian packages with this fix and;
* Release a fresh upstream version of perdition with this fix.

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 729028@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Simon Horman <horms@verge.net.au>, 729028@bugs.debian.org, Debian Security Team <security@debian.org>

Subject: Re: Bug#729028: perdition: ssl_outgoing_ciphers not applied to STARTTLS connections

Date: Tue, 12 Nov 2013 23:59:15 -0500

[Message part 1 (text/plain, inline)]

Hi Simon--

Re: http://bugs.debian.org/729028:

On Tue 2013-11-12 23:04:07 -0500, Simon Horman wrote:
> Thanks for bringing this to my attention and sorry
> for not noticing the mailing list post: I'm not suer what happened there.

dunno if you care to investigate the mailing list situation further.  if
you do, the post to the mailing list was Message-ID:
<87zjpfwqft.fsf@alice.fifthhorseman.net>

The handoff to the vergenet MX looked like this from my side:

Nov  7 21:57:50 che postfix/smtp[32630]: 7E90AF984: to=<perdition-users@vergenet.net>, relay=mail.au.vergenet.net[202.4.237.240]:25, delay=5.2, delays=0.55/0.01/3.6/1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B4DE9266CEF)

The message doesn't seem to have made it through to the pipermail
archives, which see no messages for November 2013 at all:

 http://lists.vergenet.net/pipermail/perdition-users/

> I think that the best thing to do is both:
> * Update the Debian packages with this fix and;
> * Release a fresh upstream version of perdition with this fix.

This sounds like a reasonable approach to me.  I'm cc'ing the security
team so that they're aware of the problem and the potential security-fix
upload(s).  Would you like me to request a CVE for tracking this issue,
or do you intend to request one yourself?

Regards,

        --dkg

PS While i've got your ear, can i get you to look at and reply to my
earlier post to perdition-users about DHE?

  http://lists.vergenet.net/pipermail/perdition-users/2013-October/002669.html

[Message part 2 (application/pgp-signature, inline)]

Message #24 received at 729028@bugs.debian.org (full text, mbox, reply):

From: Simon Horman <horms@verge.net.au>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 729028@bugs.debian.org

Cc: Debian Security Team <security@debian.org>

Subject: Re: Bug#729028: perdition: ssl_outgoing_ciphers not applied to STARTTLS connections

Date: Wed, 13 Nov 2013 15:59:24 +0900

On Tue, Nov 12, 2013 at 11:59:15PM -0500, Daniel Kahn Gillmor wrote:
> Hi Simon--
> 
> Re: http://bugs.debian.org/729028:
> 
> On Tue 2013-11-12 23:04:07 -0500, Simon Horman wrote:
> > Thanks for bringing this to my attention and sorry
> > for not noticing the mailing list post: I'm not suer what happened there.
> 
> dunno if you care to investigate the mailing list situation further.  if
> you do, the post to the mailing list was Message-ID:
> <87zjpfwqft.fsf@alice.fifthhorseman.net>
> 
> The handoff to the vergenet MX looked like this from my side:
> 
> Nov  7 21:57:50 che postfix/smtp[32630]: 7E90AF984: to=<perdition-users@vergenet.net>, relay=mail.au.vergenet.net[202.4.237.240]:25, delay=5.2, delays=0.55/0.01/3.6/1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B4DE9266CEF)
> 
> The message doesn't seem to have made it through to the pipermail
> archives, which see no messages for November 2013 at all:
> 
>  http://lists.vergenet.net/pipermail/perdition-users/
> 
> > I think that the best thing to do is both:
> > * Update the Debian packages with this fix and;
> > * Release a fresh upstream version of perdition with this fix.
> 
> This sounds like a reasonable approach to me.  I'm cc'ing the security
> team so that they're aware of the problem and the potential security-fix
> upload(s).  Would you like me to request a CVE for tracking this issue,
> or do you intend to request one yourself?

If you could request one that would be great.

Message #29 received at 729028@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: oss-security@lists.openwall.com

Cc: 729028@bugs.debian.org, Simon Horman <horms@verge.net.au>

Subject: perdition: ssl_outgoing_ciphers not applied to STARTTLS connections

Date: Wed, 13 Nov 2013 02:21:57 -0500

[Message part 1 (text/plain, inline)]

Perdition, the IMAP and POP proxy server, fails to apply the
administrator's specified ciphersuite preferences when making outbound
connections to IMAP and POP servers using STARTTLS.  For these outbound
connections, it applies the administrator's listening ciphersuite
preferences, which in many cases may be significantly weaker.

This was first noted publicly on the debian BTS:

  http://bugs.debian.org/729028

All versions of perdition up to 2.0 appear to be affected, and the fix
is a one-line patch.

This is not a critical vulnerability (it can be mitigated, for example,
by enforcing a strict minimalist ciphersuite on the backend server), but
in the absence of any such mitigation, it may cause the connections
between the proxy server and the backend server to negotiate a weaker
ciphersuite than the administrator's stated intent.

Could a CVE be issued for this issue?

Thanks,

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #34 received at 729028@bugs.debian.org (full text, mbox, reply):

From: Kurt Seifried <kseifried@redhat.com>

To: oss-security@lists.openwall.com

Cc: 729028@bugs.debian.org, Simon Horman <horms@verge.net.au>

Subject: Re: [oss-security] perdition: ssl_outgoing_ciphers not applied to STARTTLS connections

Date: Thu, 14 Nov 2013 20:59:17 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/13/2013 12:21 AM, Daniel Kahn Gillmor wrote:
> Perdition, the IMAP and POP proxy server, fails to apply the 
> administrator's specified ciphersuite preferences when making
> outbound connections to IMAP and POP servers using STARTTLS.  For
> these outbound connections, it applies the administrator's
> listening ciphersuite preferences, which in many cases may be
> significantly weaker.
> 
> This was first noted publicly on the debian BTS:
> 
> http://bugs.debian.org/729028
> 
> All versions of perdition up to 2.0 appear to be affected, and the
> fix is a one-line patch.
> 
> This is not a critical vulnerability (it can be mitigated, for
> example, by enforcing a strict minimalist ciphersuite on the
> backend server), but in the absence of any such mitigation, it may
> cause the connections between the proxy server and the backend
> server to negotiate a weaker ciphersuite than the administrator's
> stated intent.
> 
> Could a CVE be issued for this issue?
> 
> Thanks,
> 
> --dkg
> 

Please use CVE-2013-4584for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJShZwUAAoJEBYNRVNeJnmTBjwP/A2Vlei1HYf9w8wFNcOkwyLd
1ZDKp4zaRymcVlrWYvm4bDXuHh0VWe84o1bGM5YHpQ5RXNSAQ7nzwHtIKKp9vbL8
r7Zd5bUwTHLIAs2J+fA10CIDaOma7LJFeUKLPMr2IJtV+ZssKVlazVm+oniQPEkR
PoQZyWYAM/kjs4KOsabW6c1eRLcew4BCimKdnFEfg+JWyC84Jn9DWMD09RwpUexN
vkiMs3oohqkfXFSS6LnSnYN9h/Ni1otJmbjp0tyFu/+MMCk5w2XehnIUB3RuPdwW
HaVxjyXzALQWIMn4PZ9xowtmXjyj1/tsKEfYh/2jkb1ll7t+PUnE3NtxXKnzLAXb
JXa9zmyOZ4TS1j9bfL8A99BgkcdQcfQeWpx/5IgN4yiNcPpRDSKKUUpUVUuknydP
rf9hzvIh/F0kzgSIHbPZ6HwlC6AWksx8jdwQ8+Xvpks97CP3OA/2pLgdfpKSjwPX
giEWeFjkxEdinYZr9jeoz/tSz/NwVVkC/R7kc3ncRPOBuzucm8sFhwJQ4T8QWTDd
Kz09I1twWnoY4kTCdeVdKMwVmsz6YRwka3XIjQnmJEIGb0tDxFbZDozLFQxYgkic
t1ireQQPK084k9wAVjvh4ZrcHJXnjZ6MyFvgucrPgQWJXXy084xC8kNpO/6eFAFs
GDFmRUBuNGPWzDmKl2yt
=J/Xd
-----END PGP SIGNATURE-----

Message #41 received at 729028-close@bugs.debian.org (full text, mbox, reply):

From: Simon Horman <horms@debian.org>

To: 729028-close@bugs.debian.org

Subject: Bug#729028: fixed in perdition 2.1-1

Date: Thu, 11 Sep 2014 03:20:37 +0000

Source: perdition
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
perdition, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 729028@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated perdition package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 01 Dec 2013 17:10:57 +0900
Source: perdition
Binary: perdition perdition-ldap perdition-mysql perdition-odbc perdition-postgresql
Architecture: source amd64
Version: 2.1-1
Distribution: unstable
Urgency: low
Maintainer: Simon Horman <horms@debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description:
 perdition  - POP3 and IMAP4 Proxy server
 perdition-ldap - Library to allow perdition to access LDAP based popmaps
 perdition-mysql - Library to allow perdition to access MySQL based popmaps
 perdition-odbc - Library to allow perdition to access ODBC based popmaps
 perdition-postgresql - Library to allow perdition to access PostgreSQL based popmaps
Closes: 680086 726175 729028 737666 751430
Changes:
 perdition (2.1-1) unstable; urgency=low
 .
   * New Upstream Release
     (closes: #751430)
   * Fix for CVE-2013-4584
 .
     Perdition fails to apply the administrator's specified ciphersuite
     preferences when making outbound connections to IMAP and POP servers
     using STARTTLS.  For these outbound connections, it applies the
     administrator's listening ciphersuite preferences, which in many cases
     may be significantly weaker.
 .
     This is not a critical vulnerability (it can be mitigated, for example,
     by enforcing a strict minimalist ciphersuite on the backend server),
     but in the absence of any such mitigation, it may cause the connections
     between the proxy server and the backend server to negotiate a weaker
     ciphersuite than the administrator's stated intent.
 .
     (closes: #729028)
   * Versioned build dependency on dpkg-dev (>=1.16.1)
     (closes: #680086)
   * Use 1.0 as Managesieve version
     (closes: #726175)
   * Use autoreconf
     (closes: #737666)
   * Harden build flags
   * Build verbosely
   * Update standards version to 3.9.5
Checksums-Sha1:
 683abbe3feb1a92b6ed428d479253b49ac19553d 2243 perdition_2.1-1.dsc
 81ef59ae0c25533c1ebddb950bc216effc702394 515883 perdition_2.1.orig.tar.bz2
 46f2389c4db464ac0ced6796dbcac3575ab76f4c 12520 perdition_2.1-1.debian.tar.xz
 3fe63288cc212b412cf69cb885aebbaf38e86254 119552 perdition_2.1-1_amd64.deb
 2df3c6392dc2ce5ab5fdc797cb4a1a15ae4502e7 17462 perdition-ldap_2.1-1_amd64.deb
 9281ec2eefce33145e4184737ad34dc2b613f448 16012 perdition-mysql_2.1-1_amd64.deb
 db149f07ce64d51aba601972bc5fba03eafdc236 15556 perdition-odbc_2.1-1_amd64.deb
 2c6e26de8d439ab5e35d97163eef5a8757f9f0a4 15418 perdition-postgresql_2.1-1_amd64.deb
Checksums-Sha256:
 c3a33db44222402cf7b7eee3864ca2e11e9f62bed811097fb1602180e0ab7dd7 2243 perdition_2.1-1.dsc
 e0675bbaa85d17622682e30349f53f31736c3d3ec2ca157fdc929e5d2567e491 515883 perdition_2.1.orig.tar.bz2
 0d47e8af3fcbc37e85d184af494e82da53c5fbe27ba5300ac36b20157be90449 12520 perdition_2.1-1.debian.tar.xz
 cfe34c0e21f95bba383f1efe46ba1b3647d83c11cbed5da2bb3d5a4001ad0b63 119552 perdition_2.1-1_amd64.deb
 2f951dbcaf46f4dc95588dbaa247083bcc7b29deb6b05b4007c5b5c03b0ca6ae 17462 perdition-ldap_2.1-1_amd64.deb
 6213b85d179ee7011875274c348bd3dddf9580021b5d756214e4b8f0664743cc 16012 perdition-mysql_2.1-1_amd64.deb
 83f8f0e65c265b59ffdfaff3ef482adc49bb3a45f904f559ab349dfc235c9870 15556 perdition-odbc_2.1-1_amd64.deb
 b1cf0be07f52817e9d1f3a059ac218e699c1cdbeb459a6fdea3c138054dbd4b2 15418 perdition-postgresql_2.1-1_amd64.deb
Files:
 a010701387a097507fadd849f4cd013e 119552 mail optional perdition_2.1-1_amd64.deb
 cbc8e7e6429b2753f9332dd6ffadf6ac 17462 mail optional perdition-ldap_2.1-1_amd64.deb
 82a6a9c869af2bcab8e1bb33d762076a 16012 mail optional perdition-mysql_2.1-1_amd64.deb
 45768a254aeb16aaf89fcebb5b089e9e 15556 mail optional perdition-odbc_2.1-1_amd64.deb
 d2dfb6d0fadcd5ccad2582a6fe7c5f12 15418 mail optional perdition-postgresql_2.1-1_amd64.deb
 ab5e982d73dba6138e6cf98d7784c4d1 2243 mail optional perdition_2.1-1.dsc
 1e2c5ecfdcca0c02dde831186a077084 515883 mail optional perdition_2.1.orig.tar.bz2
 008f44679e77e2943a7f4f12edca85b7 12520 mail optional perdition_2.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUEQwEAAoJENfPZGlqN0++7I8P/32EI4RhNmyFJZJJKEcPBbS8
y1qnKlYWN1mAErI08Crl8UzJjvXOvxURTWEZnKB6234qIqdYA28gk/G09RMvLzUs
Bhre0eNeF1YaLRhCQJKt1S9iF9u/hTFC4caetrwdRLhrwksp1agyDyb9BHN4eKbb
kmVcOqn1iG418Z4lowM5xl6SdIxjeLtYYWfd6UiZpfchgWHDYK41MTTs6xlDelKx
wDwnsCqNy7t1A6lOMFigCYc31Diy5pip2pitrKIj7fiKcKfGRqXpC6w2+CVcd6pu
ww2uYVj4A3knxL6ZrJ2Ws/ceSa+aVh4kkiGvthY88ExwbuhdxW1yE6McU4WyPPYT
UEt7G5JAmV+/giI0n5ucv6qqCKuEVUL7wFNKerxTzesnWU2D9u13OQqhTk3AmMC8
ZFdFmXkagY5H6Ewm32BRsyhYDnmFa8PNjI9TUvIFaVd48uqiwiVjR6zfRz74hh5a
2jRveRSG0TpVBfph0bDXbpxrAqQEQ62f+rq9lQLT9fxd7b2Y7sDNBQOCe/wkkIa7
98MQ1kCx4fKPfyUIHt8faq64ZggA3cWxZIiCjtABMUD5CvBmchpWhzRT7pYg6TsE
GHjI+gPQlx/Ye/VAKb3NM4SjAtv11qd2lqpOV9iQ8We4shTvv4Ir+YDfpJhKoS2O
M2Zu5G+cAS47HUexGJBM
=b/ut
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.