Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2021-38084 CVE-2011-0411

Source

Debian Bug report logs - #989375
courier: CVE-2021-38084

Package: src:courier; Maintainer for src:courier is Markus Wanner <markus@bluegap.ch>;

Reported by: Sysadmin HTL Leonding <debbtsreports@htl-leonding.ac.at>

Date: Wed, 2 Jun 2021 07:03:02 UTC

Severity: important

Tags: security, upstream

Found in versions courier/1.0.16-3, courier/1.0.6-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, debbtsreports@htl-leonding.ac.at, Markus Wanner <markus@bluegap.ch>:
Bug#989375; Package courier-pop. (Wed, 02 Jun 2021 07:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Sysadmin HTL Leonding <debbtsreports@htl-leonding.ac.at>:
New Bug report received and forwarded. Copy sent to debbtsreports@htl-leonding.ac.at, Markus Wanner <markus@bluegap.ch>. (Wed, 02 Jun 2021 07:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: courier-pop
Severity: important

Dear Maintainer,

Uni Münster did a vulnerability scan on the Internet and reported a Debian server running 
courier-pop to be vulnerable to the equivalent of CVE-2011-0411. The system information
is from another system, but the issue exists in the upstream source, so it doesn't matter.

The suggested fixes from
www.postfix.org/CVE-2011-0411.html
have never been implemented in courier-pop (according to the researchers only in the IMAP
implementation).

There has been a very old bug report for Ubuntu (Debian security team asked me to open a ticket
in Debian BTS for this):
https://bugs.launchpad.net/ubuntu/+source/courier/+bug/1194892

In the meanwhile I got the information from a courier developer that while courier-pop 
is vulnerable to the same issue as the other programs (where fixes have been implemented)
according to him there has never been an practically exploit given the limitations of the 
POP3 protocol. The only possibility for an attacker would be to cause the server to send back
errors or failures to the login request and as the attacker is already MITM he/she could do 
that anyway.

As a measure of defense in depth and to prevent Internet scans to cause "noise", it might
be still a good idea to implement the suggested fixes in the POP3 implementation too.

Or someone could declare STARTTLS as anyway broken (then it should be disabled in config
and documented there) and users should use the TLS-only ports as researchers recommended
as workaround.


-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-16-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages courier-pop depends on:
pn  courier-authlib                     <none>
pn  courier-base                        <none>
ii  debconf [debconf-2.0]               1.5.71
pn  default-mta | mail-transport-agent  <none>
ii  libc6                               2.28-10
pn  libcourier-unicode4                 <none>
ii  libidn11                            1.33-2.2
ii  sysvinit-utils                      2.93-8

courier-pop recommends no packages.

Versions of packages courier-pop suggests:
pn  courier-doc  <none>
pn  mail-reader  <none>

Added tag(s) upstream and security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 02 Jun 2021 12:27:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Markus Wanner <markus@bluegap.ch>:
Bug#989375; Package courier-pop. (Wed, 04 Aug 2021 18:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Markus Wanner <markus@bluegap.ch>. (Wed, 04 Aug 2021 18:09:03 GMT) (full text, mbox, link).

Message #12 received at 989375@bugs.debian.org (full text, mbox, reply):

Control: reassign -1 src:courier 1.0.16-3
Control: retitle -1 courier: CVE-2021-38084
Control: found -1 1.0.6-1

Hi,

On Wed, Jun 02, 2021 at 08:59:02AM +0200, Sysadmin HTL Leonding wrote:
> Package: courier-pop
> Severity: important
> 
> Dear Maintainer,
> 
> Uni Münster did a vulnerability scan on the Internet and reported a Debian server running 
> courier-pop to be vulnerable to the equivalent of CVE-2011-0411. The system information
> is from another system, but the issue exists in the upstream source, so it doesn't matter.
> 
> The suggested fixes from
> www.postfix.org/CVE-2011-0411.html
> have never been implemented in courier-pop (according to the researchers only in the IMAP
> implementation).
> 
> There has been a very old bug report for Ubuntu (Debian security team asked me to open a ticket
> in Debian BTS for this):
> https://bugs.launchpad.net/ubuntu/+source/courier/+bug/1194892
> 
> In the meanwhile I got the information from a courier developer that while courier-pop 
> is vulnerable to the same issue as the other programs (where fixes have been implemented)
> according to him there has never been an practically exploit given the limitations of the 
> POP3 protocol. The only possibility for an attacker would be to cause the server to send back
> errors or failures to the login request and as the attacker is already MITM he/she could do 
> that anyway.
> 
> As a measure of defense in depth and to prevent Internet scans to cause "noise", it might
> be still a good idea to implement the suggested fixes in the POP3 implementation too.
> 
> Or someone could declare STARTTLS as anyway broken (then it should be disabled in config
> and documented there) and users should use the TLS-only ports as researchers recommended
> as workaround.

This has now a own CVE, CVE-2021-38084. Fixed upstream in 1.1.5
according to
https://sourceforge.net/p/courier/mailman/message/37329216/ .

Regards,
Salvatore

Bug reassigned from package 'courier-pop' to 'src:courier'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 989375-submit@bugs.debian.org. (Wed, 04 Aug 2021 18:09:03 GMT) (full text, mbox, link).

Marked as found in versions courier/1.0.16-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to 989375-submit@bugs.debian.org. (Wed, 04 Aug 2021 18:09:03 GMT) (full text, mbox, link).

Changed Bug title to 'courier: CVE-2021-38084' from 'courier-pop: CVE-2011-0411 equivalent vulnerability - fix not implemented'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 989375-submit@bugs.debian.org. (Wed, 04 Aug 2021 18:09:03 GMT) (full text, mbox, link).

Marked as found in versions courier/1.0.6-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to 989375-submit@bugs.debian.org. (Wed, 04 Aug 2021 18:09:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Aug 5 16:17:57 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

courier: CVE-2021-38084

Debian Bug report logs - #989375
courier: CVE-2021-38084

Vulmon Search

About

Products

Connect

courier: CVE-2021-38084

Debian Bug report logs - #989375 courier: CVE-2021-38084

Vulmon Search

About

Products

Connect

Debian Bug report logs - #989375
courier: CVE-2021-38084