On 02/07, we discovered a bug in the Fetchmail script for Mailu that has serious security consequences. If you are using the fetchmail container for Mailu (which is optional), please apply the following instructions as soon as possible.
The vulnerability requires authenticated access for exploitation, so patching is even more urgent if you have open registrations or untrusted users on your Mailu server.
Feel free to ask any question or start any discussion on the following comment thread: #1355
Please spread the word and relay links to this issue to any channel you find appropriate.
Special thanks to @sholl for finding the bug in the first place and @Nebukadneza for confirming the issue and preparing the fix.
Instructions
Before anything else, make sure that you can access your container logs, and create a backup if you are using the default logging driver, as update may overwrite these logs and make post-analysis more difficult.
Then apply one of the following mitigations.
A. If running on 1.5, 1.6, 1.7 or master, update the fetchmail container : docker-compose pull fetchmail; docker-compose up -d (if you have automatic watchtower updates or equivalent, you should already be safe)
B. If running on another version, upgrade at least to 1.5, if possible to 1.7
C. In case you need time before updating the container or upgrading Mailu, disable the fetchmail service : docker-compose stop fetchmail (then comment out the fetchmail section from the compose file to avoid any later mistake)
D. If you need a few hours to think this over and you are exposed (open registrations or untrusted users), bring your Mailu stack down for the time being: docker-compose stop
Check that your setup is up to date by displaying the image identifier for your fetchmail container, then checking that the image was built after 02.07.
If you suspect any exploitation might have taken place, bring Mailu down, modify the SECRET_KEY with a new 16 bytes random value, then bring Mailu back up (this has the side effect of disconnecting most users). Change your password for every fetched account configured on your Mailu instance, or have users change them.
If you suspect any exploitation might have taken place, inspect your logs and database for any application tokens that might be illegitimate or recently modified accounts that could indicate an illegitimate password change (which could both be consequences of a successful exploit). Take action accordingly, and feel free to ask any question on the discussion thread.
Timeline
02/07/2020 : vulnerability reported and confirmed
02/07/2020 : patch published to branches 1.5 to master
02/08/2020 : advisory published
Details
We will update this post in the next few days with details about the discovery, analysis and fix for this vulnerability. We will possibly request a CVE identifier for this, given the serious impact, so that visibility is maximum and Mailu administrators upgrade quickly. The current estimated CVSS is over 8.
We will also provide plausible exploitation markers (additional to instructions in steps 4 and 5), although we did not find anything suspicious on any of three Mailu instances we manage that have open registration.
The text was updated successfully, but these errors were encountered:
On 02/07, we discovered a bug in the Fetchmail script for Mailu that has serious security consequences. If you are using the fetchmail container for Mailu (which is optional), please apply the following instructions as soon as possible.
The vulnerability requires authenticated access for exploitation, so patching is even more urgent if you have open registrations or untrusted users on your Mailu server.
Feel free to ask any question or start any discussion on the following comment thread: #1355
Please spread the word and relay links to this issue to any channel you find appropriate.
Special thanks to @sholl for finding the bug in the first place and @Nebukadneza for confirming the issue and preparing the fix.
Instructions
A. If running on 1.5, 1.6, 1.7 or master, update the fetchmail container :
docker-compose pull fetchmail; docker-compose up -d(if you have automatic watchtower updates or equivalent, you should already be safe)B. If running on another version, upgrade at least to 1.5, if possible to 1.7
C. In case you need time before updating the container or upgrading Mailu, disable the fetchmail service :
docker-compose stop fetchmail(then comment out the fetchmail section from the compose file to avoid any later mistake)D. If you need a few hours to think this over and you are exposed (open registrations or untrusted users), bring your Mailu stack down for the time being:
docker-compose stopCheck that your setup is up to date by displaying the image identifier for your fetchmail container, then checking that the image was built after 02.07.
If you suspect any exploitation might have taken place, bring Mailu down, modify the
SECRET_KEYwith a new 16 bytes random value, then bring Mailu back up (this has the side effect of disconnecting most users). Change your password for every fetched account configured on your Mailu instance, or have users change them.If you suspect any exploitation might have taken place, inspect your logs and database for any application tokens that might be illegitimate or recently modified accounts that could indicate an illegitimate password change (which could both be consequences of a successful exploit). Take action accordingly, and feel free to ask any question on the discussion thread.
Timeline
02/07/2020 : vulnerability reported and confirmed
02/07/2020 : patch published to branches 1.5 to master
02/08/2020 : advisory published
Details
We will update this post in the next few days with details about the discovery, analysis and fix for this vulnerability. We will possibly request a CVE identifier for this, given the serious impact, so that visibility is maximum and Mailu administrators upgrade quickly. The current estimated CVSS is over 8.
We will also provide plausible exploitation markers (additional to instructions in steps 4 and 5), although we did not find anything suspicious on any of three Mailu instances we manage that have open registration.
The text was updated successfully, but these errors were encountered: