Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WARNING - Fetchmail security update to all branches, update ASAP #1354

Closed
kaiyou opened this issue Feb 8, 2020 · 1 comment
Closed

WARNING - Fetchmail security update to all branches, update ASAP #1354

kaiyou opened this issue Feb 8, 2020 · 1 comment
Labels
priority/p0 Critical bug without workaround / Must have type/security Related to security

Comments

@kaiyou
Copy link
Member

kaiyou commented Feb 8, 2020

On 02/07, we discovered a bug in the Fetchmail script for Mailu that has serious security consequences. If you are using the fetchmail container for Mailu (which is optional), please apply the following instructions as soon as possible.

The vulnerability requires authenticated access for exploitation, so patching is even more urgent if you have open registrations or untrusted users on your Mailu server.

Feel free to ask any question or start any discussion on the following comment thread: #1355

Please spread the word and relay links to this issue to any channel you find appropriate.

Special thanks to @sholl for finding the bug in the first place and @Nebukadneza for confirming the issue and preparing the fix.

Instructions

  1. Before anything else, make sure that you can access your container logs, and create a backup if you are using the default logging driver, as update may overwrite these logs and make post-analysis more difficult.
  2. Then apply one of the following mitigations.

A. If running on 1.5, 1.6, 1.7 or master, update the fetchmail container : docker-compose pull fetchmail; docker-compose up -d (if you have automatic watchtower updates or equivalent, you should already be safe)

B. If running on another version, upgrade at least to 1.5, if possible to 1.7

C. In case you need time before updating the container or upgrading Mailu, disable the fetchmail service : docker-compose stop fetchmail (then comment out the fetchmail section from the compose file to avoid any later mistake)

D. If you need a few hours to think this over and you are exposed (open registrations or untrusted users), bring your Mailu stack down for the time being: docker-compose stop

  1. Check that your setup is up to date by displaying the image identifier for your fetchmail container, then checking that the image was built after 02.07.

  2. If you suspect any exploitation might have taken place, bring Mailu down, modify the SECRET_KEY with a new 16 bytes random value, then bring Mailu back up (this has the side effect of disconnecting most users). Change your password for every fetched account configured on your Mailu instance, or have users change them.

  3. If you suspect any exploitation might have taken place, inspect your logs and database for any application tokens that might be illegitimate or recently modified accounts that could indicate an illegitimate password change (which could both be consequences of a successful exploit). Take action accordingly, and feel free to ask any question on the discussion thread.

Timeline

02/07/2020 : vulnerability reported and confirmed
02/07/2020 : patch published to branches 1.5 to master
02/08/2020 : advisory published

Details

We will update this post in the next few days with details about the discovery, analysis and fix for this vulnerability. We will possibly request a CVE identifier for this, given the serious impact, so that visibility is maximum and Mailu administrators upgrade quickly. The current estimated CVSS is over 8.

We will also provide plausible exploitation markers (additional to instructions in steps 4 and 5), although we did not find anything suspicious on any of three Mailu instances we manage that have open registration.

@hoellen hoellen pinned this issue Feb 8, 2020
@kaiyou kaiyou added priority/p0 Critical bug without workaround / Must have type/security Related to security labels Feb 8, 2020
@Mailu Mailu locked as too heated and limited conversation to collaborators Feb 8, 2020
@kaiyou kaiyou unpinned this issue Apr 21, 2020
@Diman0
Copy link
Member

Diman0 commented Sep 25, 2020

Closing the issue since it has been a couple of months now and the issue is patched for version 1.5 and higher.

@Diman0 Diman0 closed this as completed Sep 25, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
priority/p0 Critical bug without workaround / Must have type/security Related to security
Projects
None yet
Development

No branches or pull requests

2 participants