Security Advisory 01 for Kolab Server

Bernhard Herzog bh at intevation.de
Wed Feb 9 19:33:39 CET 2005


A security problem affecting Kolab 1 and 2 servers has been discovered.
Installations where the manager password suggested by the boostrap
script was accepted unchanged and some development installations are
vulnerable.  Fixes are available.  See the security advisory below for
more details.

   Bernhard Herzog


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kolab Security Issue 01 20050209
================================

Package:	      kolab
Vulnerability:        privilege escalation
Kolab Specific:       yes
Dependent Packages:   none


Summary
- -------

The kolab_bootstrap script for the Kolab Server suggested passwords
vulnerable to either a dictionary or brute force attacks for the
administrative account "manager" and some other internal Kolab users
(namely "nobody" and "calendar").  Each of the passwords was chosen from
a set of only 4096 possibilities.


Possible Effects
- ----------------

(A) Only when the suggested manager password was accepted unchanged a
remote attacker could get full write access to the Kolab LDAP tree by
using either brute force or dictionary attacks. Write access to the
Kolab LDAP tree factually means full control of the Kolab server.

(B) As the nobody user has no further permissions and is internally only
used as an alternative to anonymous binding, this will not leak sensible
information when the password is successfully tested.

(C) Kolab users giving the Kolab calendar user write permissions on
their folders are vulnerable to having their calendar folders accessible
by an attacker. The calendar user was introduced 20041014 in the Kolab 2
development branch and is not used in any of the Kolab 1 servers.

Servers that have problem (A) and (B):
      Kolab 1 Server: before 20041213 (version 1.0.25 is safe) 

      OpenPKG (independent of with_genuine setting)
      CURRENT      kolab-20040503-20041207
      RELEASE 2.2  kolab-20040503-2.2.0
      RELEASE 2.1  kolab-20040503-2.1.0

      Kolab 1 Server Mandrake: versions up to 1.0-0.61mdk

      Kolab 2 Server: before 20041122 (development branch)

Servers that have problem (C):

      Kolab2 Server: after 20041014 but before 20041123 (development branch)


Fixes
- -----

The problems with the bootstrapping script (kolab_bootstrap) have been
silently fixed in the Kolab 2 development branch since 20041201 and with
an Update of Kolab 1 since 20041213.  

Released packages that contain the fixes:

  Kolab 1:

    http://max.kde.org:8080/mirrors/www.erfrakon.de/projects/kolab/download/kolab-server-1.0/src/kolab-1.0-1.0.25.src.rpm

    OpenPKG (independent of with_genuine setting)
    CURRENT      kolab-20040503-20041214
    RELEASE 2.2  kolab-20040503-2.2.1
    RELEASE 2.1  kolab-20040503-2.1.1

    Mandrake: versions from 0.62mdk on are corrected

  Kolab 2:

    Oldest Kolab 2 package with a fix (the beta releases are newer than this):
    ftp.kolab.org/kolab/server/development/20041201-full/sources/kolabd-1.9.3-20041201.src.rpm


How to fix existing installations:

1.) Stop the Kolab server using 

      /kolab/etc/rc.d/rc.kolab stop (Kolab 1 method)

or 

      /kolab/etc/rc all stop (Kolab 2 method)

(a) New installations of the Kolab 1 server (>= 1.0.25) are not
vulnerable to Problem (A) as fixes got incorporated into the current
(20041213) package.

Please note that the Kolab 2 development is already in late Beta
stage. We therefore strongly recommend to go with Kolab 2 for new
installations or major renovations.

(b) New installations of the Kolab 2 development branch (> 20041122) are
not vulnerable to Problem (A) as fixes got incorporated into the current
package.

(c) Existing installations of Kolab 1 are vulnerable to Problem (A) if
the suggested manager password was accepted instead of being manually
chosen.  This problem can be fixed without the need to upgrade the
installation by choosing a more secure manager password manually.
Please note that during an update of a Kolab installation the manager
password is preserved so that every affected installation is asked to
choose a more secure manager password manually. We are assisting this
process by proving a kolabpasswd script for Kolab 1.

(d) Existing installations of the Kolab 2 development branch are
vulnerable to Problem (A) if the suggested manager password was accepted
instead of being manually chosen. This problem can be fixed without the
need to upgrade the installation by choosing a more secure manager
password manually. We are assisting this process by proving a
kolabpasswd script for Kolab 2.  Due to the fact that Kolab 2 is in Beta
we generally recommend to upgrade to the most recent package but during
an update the manager password is preserved so that every affected
installation is asked to choose a more secure manager password manually.

(e) changing the nobody password on existing installations (Kolab 1 and
 Kolab 2) as a remedy for Flaw (B) using

      kolabpasswd nobody

is optional. We recommend to use the proposed password of kolabpasswd as
this password is only for internal use within the Kolab and never needs
manual entering.

(f) change the calendar password on existing installations vulnerable to
Problem (C) using

      kolabpasswd calendar

We recommend to use the proposed password of kolabpasswd as this
password is only of internal use and never needs manual entering.

2.) Start the Kolab server using 

      /kolab/etc/rc all start (Kolab 2 method)

or 

      /kolab/etc/rc.d/rc.kolab start  (Kolab 1 method)


Details of the security problem
- -------------------------------

kolab_bootstrap used the following commands for suggesting passwords:

      @@@kolab_prefix@@@/bin/openssl passwd kolab
      @@@kolab_prefix@@@/bin/openssl passwd nobody
      @@@kolab_prefix@@@/bin/openssl passwd calendar

This is a weak implementation of suggesting password and is subject to
brute force and dictionary attacks. The new code looks like

      @@@kolab_prefix@@@/bin/openssl rand -base64 12
      @@@kolab_prefix@@@/bin/openssl rand -base64 30
      @@@kolab_prefix@@@/bin/openssl rand -base64 30



Timeline
- --------
      20041201 Problem deteced by Bernhard Reiter and Bernhard Herzog from
               Intevation GmbH. Developers notified.
      20041202 Analysis. First fix of the scripts in the Kolab CVS (Kolab 2)
	       and manual recovery instructions.
      20041203 Vendors notified
      20041213 convenience scripts provided (kolabpasswd) by 
	       Martin Konold and Tassilo Erlewein from erfrakon
      20041213 Kolab 1 update package available
      20041214 Updated Kolab 1 OpenPKG packages available (Thomas Lotterer)
      20050209 Kolab security advisory published


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCClPf0vCiU5+ISsgRAkFhAKD4X7DHhmBlKBMg0xjxWGtJ1pDQmwCfYVvF
BxXGUo1bHuuuI5keKRDRQqw=
=sPkd
-----END PGP SIGNATURE-----




More information about the users mailing list