ID CVE-2008-1199
Summary Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.
References
Vulnerable Configurations
  • cpe:2.3:a:dovecot:dovecot:0.99.13
    cpe:2.3:a:dovecot:dovecot:0.99.13
  • cpe:2.3:a:dovecot:dovecot:0.99.14
    cpe:2.3:a:dovecot:dovecot:0.99.14
  • cpe:2.3:a:dovecot:dovecot:1.0
    cpe:2.3:a:dovecot:dovecot:1.0
  • cpe:2.3:a:dovecot:dovecot:1.0.2
    cpe:2.3:a:dovecot:dovecot:1.0.2
  • cpe:2.3:a:dovecot:dovecot:1.0.3
    cpe:2.3:a:dovecot:dovecot:1.0.3
  • cpe:2.3:a:dovecot:dovecot:1.0.4
    cpe:2.3:a:dovecot:dovecot:1.0.4
  • cpe:2.3:a:dovecot:dovecot:1.0.5
    cpe:2.3:a:dovecot:dovecot:1.0.5
  • cpe:2.3:a:dovecot:dovecot:1.0.6
    cpe:2.3:a:dovecot:dovecot:1.0.6
  • cpe:2.3:a:dovecot:dovecot:1.0.7
    cpe:2.3:a:dovecot:dovecot:1.0.7
  • cpe:2.3:a:dovecot:dovecot:1.0.8
    cpe:2.3:a:dovecot:dovecot:1.0.8
  • cpe:2.3:a:dovecot:dovecot:1.0.9
    cpe:2.3:a:dovecot:dovecot:1.0.9
  • cpe:2.3:a:dovecot:dovecot:1.0.10
    cpe:2.3:a:dovecot:dovecot:1.0.10
  • cpe:2.3:a:dovecot:dovecot:1.0.beta2
    cpe:2.3:a:dovecot:dovecot:1.0.beta2
  • cpe:2.3:a:dovecot:dovecot:1.0.beta3
    cpe:2.3:a:dovecot:dovecot:1.0.beta3
  • cpe:2.3:a:dovecot:dovecot:1.0.beta7
    cpe:2.3:a:dovecot:dovecot:1.0.beta7
  • cpe:2.3:a:dovecot:dovecot:1.0.beta8
    cpe:2.3:a:dovecot:dovecot:1.0.beta8
  • cpe:2.3:a:dovecot:dovecot:1.0.rc1
    cpe:2.3:a:dovecot:dovecot:1.0.rc1
  • cpe:2.3:a:dovecot:dovecot:1.0.rc2
    cpe:2.3:a:dovecot:dovecot:1.0.rc2
  • cpe:2.3:a:dovecot:dovecot:1.0.rc3
    cpe:2.3:a:dovecot:dovecot:1.0.rc3
  • cpe:2.3:a:dovecot:dovecot:1.0.rc4
    cpe:2.3:a:dovecot:dovecot:1.0.rc4
  • cpe:2.3:a:dovecot:dovecot:1.0.rc5
    cpe:2.3:a:dovecot:dovecot:1.0.rc5
  • cpe:2.3:a:dovecot:dovecot:1.0.rc6
    cpe:2.3:a:dovecot:dovecot:1.0.rc6
  • cpe:2.3:a:dovecot:dovecot:1.0.rc7
    cpe:2.3:a:dovecot:dovecot:1.0.rc7
  • cpe:2.3:a:dovecot:dovecot:1.0.rc8
    cpe:2.3:a:dovecot:dovecot:1.0.rc8
  • cpe:2.3:a:dovecot:dovecot:1.0.rc9
    cpe:2.3:a:dovecot:dovecot:1.0.rc9
  • cpe:2.3:a:dovecot:dovecot:1.0.rc10
    cpe:2.3:a:dovecot:dovecot:1.0.rc10
  • cpe:2.3:a:dovecot:dovecot:1.0.rc11
    cpe:2.3:a:dovecot:dovecot:1.0.rc11
  • cpe:2.3:a:dovecot:dovecot:1.0.rc12
    cpe:2.3:a:dovecot:dovecot:1.0.rc12
  • cpe:2.3:a:dovecot:dovecot:1.0.rc13
    cpe:2.3:a:dovecot:dovecot:1.0.rc13
  • cpe:2.3:a:dovecot:dovecot:1.0.rc14
    cpe:2.3:a:dovecot:dovecot:1.0.rc14
  • cpe:2.3:a:dovecot:dovecot:1.0.rc15
    cpe:2.3:a:dovecot:dovecot:1.0.rc15
  • cpe:2.3:a:dovecot:dovecot:1.0_rc29
    cpe:2.3:a:dovecot:dovecot:1.0_rc29
CVSS
Base: 4.4 (as of 07-03-2008 - 10:12)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_DOVECOT-5647.NASL
    description When configured with 'mail_extra_groups' dovecot potentially allowed users to read mail boxes of other users. This is not the case in the default configuration of on openSUSE (CVE-2008-1199). By using tab characters in passwords remote attackers could potentially acquire unauthorized access (CVE-2008-1218). Flaws in caching LDAP data could lead to users getting logged in with the wrong account (CVE-2007-6598).
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 34320
    published 2008-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34320
    title openSUSE 10 Security Update : dovecot (dovecot-5647)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080521_DOVECOT_ON_SL5_X.NASL
    description A flaw was discovered in the way Dovecot handled the 'mail_extra_groups' option. An authenticated attacker with local shell access could leverage this flaw to read, modify, or delete other users mail that is stored on the mail server. (CVE-2008-1199) This issue did not affect the default Red Hat Enterprise Linux 5 Dovecot configuration. This update adds two new configuration options -- 'mail_privileged_group' and 'mail_access_groups' -- to minimize the usage of additional privileges. A directory traversal flaw was discovered in Dovecot's zlib plug-in. An authenticated user could use this flaw to view other compressed mailboxes with the permissions of the Dovecot process. (CVE-2007-2231) A flaw was found in the Dovecot ACL plug-in. User with only insert permissions for a mailbox could use the 'COPY' and 'APPEND' commands to set additional message flags. (CVE-2007-4211) A flaw was found in a way Dovecot cached LDAP query results in certain configurations. This could possibly allow authenticated users to log in as a different user who has the same password. (CVE-2007-6598) As well, this updated package fixes the following bugs : - configuring 'userdb' and 'passdb' to use LDAP caused Dovecot to hang. A segmentation fault may have occurred. In this updated package, using an LDAP backend for 'userdb' and 'passdb' no longer causes Dovecot to hang. - the Dovecot 'login_process_size' limit was configured for 32-bit systems. On 64-bit systems, when Dovecot was configured to use either IMAP or POP3, the log in processes crashed with out-of-memory errors. Errors such as the following were logged : pop3-login: pop3-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory In this updated package, the 'login_process_size' limit is correctly configured on 64-bit systems, which resolves this issue. Note: this updated package upgrades dovecot to version 1.0.7. For further details, refer to the Dovecot changelog: http://koji.fedoraproject.org/koji/buildinfo?buildID=23397
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60404
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60404
    title Scientific Linux Security Update : dovecot on SL5.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-2464.NASL
    description This update upgrades dovecot from version 1.0.10 to 1.0.13. Besides bug fixes, two security issues were fixed upstream in version 1.0.11 and 1.0.13. CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users having shell access to IMAP server could use this flaw to read, modify or delete mails of other users stored in inbox files in /var/mail. /var/mail directory is mail-group writable and user inbox files are by default created by useradd with permission 660, :mail. No mail_extra_groups is set by default, hence default Fedora configuration was not affected by this problem. If your configuration sets mail_extra_groups, see new options mail_privileged_group and mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still accepted, but is deprecated now) CVE-2008-1218 On Dovecot versions 1.0.11 and newer, it was possible to gain password-less login via passwords with tab characters, which were not filtered properly. Dovecot versions in Fedora were not affected by this unauthorized login flaw, but only by a related minor memory leak in dovecot-auth worker process. See referenced bugzilla for further details about this flaw. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 31434
    published 2008-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31434
    title Fedora 8 : dovecot-1.0.13-6.fc8 (2008-2464)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200803-25.NASL
    description The remote host is affected by the vulnerability described in GLSA-200803-25 (Dovecot: Multiple vulnerabilities) Dovecot uses the group configured via the 'mail_extra_groups' setting, which should be used to create lockfiles in the /var/mail directory, when accessing arbitrary files (CVE-2008-1199). Dovecot does not escape TAB characters in passwords when saving them, which might allow for argument injection in blocking passdbs such as MySQL, PAM or shadow (CVE-2008-1218). Impact : Remote attackers can exploit the first vulnerability to disclose sensitive data, such as the mail of other users, or modify files or directories that are writable by group via a symlink attack. Please note that the 'mail_extra_groups' setting is set to the 'mail' group by default when the 'mbox' USE flag is enabled. The second vulnerability can be abused to inject arguments for internal fields. No exploitation vectors are known for this vulnerability that affect previously stable versions of Dovecot in Gentoo. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 31612
    published 2008-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31612
    title GLSA-200803-25 : Dovecot: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-2475.NASL
    description This update upgrades dovecot from version 1.0.10 to 1.0.13. Besides bug fixes, two security issues were fixed upstream in version 1.0.11 and 1.0.13. CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users having shell access to IMAP server could use this flaw to read, modify or delete mails of other users stored in inbox files in /var/mail. /var/mail directory is mail-group writable and user inbox files are by default created by useradd with permission 660, :mail. No mail_extra_groups is set by default, hence default Fedora configuration was not affected by this problem. If your configuration sets mail_extra_groups, see new options mail_privileged_group and mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still accepted, but is deprecated now) CVE-2008-1218 On Dovecot versions 1.0.11 and newer, it was possible to gain password-less login via passwords with tab characters, which were not filtered properly. Dovecot versions in Fedora were not affected by this unauthorized login flaw, but only by a related minor memory leak in dovecot-auth worker process. See referenced bugzilla for further details about this flaw. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 31436
    published 2008-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31436
    title Fedora 7 : dovecot-1.0.13-18.fc7 (2008-2475)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0297.NASL
    description An updated dovecot package that fixes several security issues and various bugs is now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. Dovecot is an IMAP server for Linux and UNIX-like systems, primarily written with security in mind. A flaw was discovered in the way Dovecot handled the 'mail_extra_groups' option. An authenticated attacker with local shell access could leverage this flaw to read, modify, or delete other users mail that is stored on the mail server. (CVE-2008-1199) This issue did not affect the default Red Hat Enterprise Linux 5 Dovecot configuration. This update adds two new configuration options -- 'mail_privileged_group' and 'mail_access_groups' -- to minimize the usage of additional privileges. A directory traversal flaw was discovered in Dovecot's zlib plug-in. An authenticated user could use this flaw to view other compressed mailboxes with the permissions of the Dovecot process. (CVE-2007-2231) A flaw was found in the Dovecot ACL plug-in. User with only insert permissions for a mailbox could use the 'COPY' and 'APPEND' commands to set additional message flags. (CVE-2007-4211) A flaw was found in a way Dovecot cached LDAP query results in certain configurations. This could possibly allow authenticated users to log in as a different user who has the same password. (CVE-2007-6598) As well, this updated package fixes the following bugs : * configuring 'userdb' and 'passdb' to use LDAP caused Dovecot to hang. A segmentation fault may have occurred. In this updated package, using an LDAP backend for 'userdb' and 'passdb' no longer causes Dovecot to hang. * the Dovecot 'login_process_size' limit was configured for 32-bit systems. On 64-bit systems, when Dovecot was configured to use either IMAP or POP3, the log in processes crashed with out-of-memory errors. Errors such as the following were logged : pop3-login: pop3-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory In this updated package, the 'login_process_size' limit is correctly configured on 64-bit systems, which resolves this issue. Note: this updated package upgrades dovecot to version 1.0.7. For further details, refer to the Dovecot changelog: http://koji.fedoraproject.org/koji/buildinfo?buildID=23397 Users of dovecot are advised to upgrade to this updated package, which resolves these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 32423
    published 2008-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=32423
    title RHEL 5 : dovecot (RHSA-2008:0297)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-593-1.NASL
    description It was discovered that the default configuration of dovecot could allow access to any email files with group 'mail' without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user's email. (CVE-2008-1199) By default, dovecot passed special characters to the underlying authentication systems. While Ubuntu releases of dovecot are not known to be vulnerable, the authentication routine was proactively improved to avoid potential future problems. (CVE-2008-1218). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 31701
    published 2008-03-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31701
    title Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : dovecot vulnerabilities (USN-593-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1516.NASL
    description Prior to this update, the default configuration for Dovecot used by Debian runs the server daemons with group mail privileges. This means that users with write access to their mail directory on the server (for example, through an SSH login) could read and also delete via a symbolic link mailboxes owned by other users for which they do not have direct access (CVE-2008-1199 ). In addition, an internal interpretation conflict in password handling has been addressed proactively, even though it is not known to be exploitable (CVE-2008-1218 ). Note that applying this update requires manual action: The configuration setting 'mail_extra_groups = mail' has been replaced with 'mail_privileged_group = mail'. The update will show a configuration file conflict in /etc/dovecot/dovecot.conf. It is recommended that you keep the currently installed configuration file, and change the affected line. For your reference, the sample configuration (without your local changes) will have been written to /etc/dovecot/dovecot.conf.dpkg-new. If your current configuration uses mail_extra_groups with a value different from 'mail', you may have to resort to themail_access_groups configuration directive.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 31587
    published 2008-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31587
    title Debian DSA-1516-1 : dovecot - privilege escalation
oval via4
accepted 2013-04-29T04:08:15.128-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.
family unix
id oval:org.mitre.oval:def:10739
status accepted
submitted 2010-07-09T03:56:16-04:00
title Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.
version 19
redhat via4
advisories
bugzilla
id 436927
title CVE-2008-1199 dovecot: insecure mail_extra_groups option
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhsa:tst:20070055001
  • comment dovecot is earlier than 0:1.0.7-2.el5
    oval oval:com.redhat.rhsa:tst:20080297002
  • comment dovecot is signed with Red Hat redhatrelease key
    oval oval:com.redhat.rhsa:tst:20080297003
rhsa
id RHSA-2008:0297
released 2008-05-20
severity Low
title RHSA-2008:0297: dovecot security and bug fix update (Low)
rpms dovecot-0:1.0.7-2.el5
refmap via4
bid 28092
bugtraq 20080304 Dovecot mail_extra_groups setting is often used insecurely
debian DSA-1516
fedora
  • FEDORA-2008-2464
  • FEDORA-2008-2475
gentoo GLSA-200803-25
mlist [Dovecot-news] 20080504 v1.0.11 released
secunia
  • 29226
  • 29385
  • 29396
  • 29557
  • 30342
  • 32151
suse SUSE-SR:2008:020
ubuntu USN-593-1
xf dovecot-mailextragroups-unauth-access(41009)
statements via4
contributor Joshua Bressers
lastmodified 2008-05-21
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1199 This issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0297.html
Last major update 21-08-2010 - 01:17
Published 06-03-2008 - 16:44
Last modified 11-10-2018 - 16:30
Back to Top