On April 30th we received notice from Pablo A. Zurro on behalf of Core Security that they found two vulnerabilities in CipherMail Gateway and Webmail Messenger. We subsequently found a third vulnerability that was related to weak Diffie-Hellman parameters. These issues have now been resolved. This blog article will provide some background information about the vulnerabilities.
Postfix main configuration
The first vulnerability involves the MTA configuration page. The CipherMail software allows an administrator to change the MTA configuration. Specifically, the administrator can change the Postfix main configuration file (main.cf). Postfix supports numerous settings in its configuration files. The CipherMail software makes it easy to configure the most important settings, like relay domains. These settings are validated before being applied.
In a more advanced setup, it might be desirable to change additional settings that are not covered by this system. To support this, the software provides a configuration page where the raw Postfix configuration file can be edited. This gives the administrator full control over the Postfix installation.
The vulnerability reported by Core Security is that an administrator can add code to the Postfix configuration file which will be executed as root after Postfix reloads the configuration file. This would elevate the privileges of the administrator from having only access to the web interface, to having full root access to the whole system. You can read the Core Security advisory for a more detailed explanation.
The fix
Fixing this vulnerability requires that we only allow settings to be changed that are considered safe. We added a variable, allowed_settings, to the script responsible for updating the Postfix configuration file. This variable contains a lists of all the safe settings. Any change to an unlisted setting results in an error. The downside of this fix is that an administrator can no longer edit a setting from the web interface that is not on the list of allowed settings. It is however still possible to edit all Postfix configuration settings from the command line.
This vulnerability has been fixed in CipherMail Gateway 4.8 and Webmail Messenger 3.2. We provide a patch for older releases which will only update the postfix-main-config.sh script file, mitigating the issue. See below for instructions on how to apply this patch.
Backup and restore
The second vulnerability involves the restore functionality from the backup/restore page. The backup/restore functionality in the CipherMail software allows an administrator to create a backup of all the relevant settings. The system can then be restored on the same system or on a different system.
The software stores most settings in a relational database. When creating a system backup, the complete database is dumped to an SQL file. When restoring the backup, the SQL file is passed to the mysql command which will then restore the database.
Additional non-SQL commands
It turns out that the mysql command supports additional non-SQL commands. One such non-SQL command is the "system" command. If the SQL import file contains a system command, mysql runs the specified system command as the user account that started mysql (which is the "djigzo" user on CipherMail systems).
The vulnerability is that an administrator can create a backup, modify the SQL file and then restore the modified backup, which will cause the djigzo user to execute any system commands present in the SQL file.
Signing the backup file?
One possible solution would be to verify that the backup file has not been modified. This requires that the backup file is digitally signed. While this initially sounds like a good solution, it will not work with a software based appliance. If an administrator can get hold of the signing key, the administrator can use the signing key to re-sign a modified backup. With a software based appliance, it is impossible to protect the signing key.
Parsing the SQL dump?
Another solution could be to parse the SQL file and remove the dangerous commands. This however requires that the parser understands which commands are safe and which are not. Writing a safe parser is hard and you might have issues when an updated MariaDB version introduces new SQL commands. Even if we are able to validate the SQL file and remove the dangerous commands, we still have another issue with additional backup files.
Additional backup files
Besides the SQL file, the backup file contains additional configuration files. One such configuration file is the Postfix main configuration file (main.cf). As discussed above, the Postfix configuration file supports settings that can result in code execution. If the administrator modifies the backup and changes the Postfix configuration file, the injected commands will be executed.
One solution to this might be to validate the Postfix configuration file and check whether it contains settings that are considered to be unsafe. The problem with only allowing safe settings is that if an administrator added an unsafe setting from the command line, because of some requirement, and a backup was created, the backup can no longer be restored because it now contains an unsafe setting. Even if we are able to solve this issue, there might be other configuration files from the backup that might have similar issues. We consider the restore vulnerability a privilege escalation issue: a logged in administrator is inadvertently capable of running commands as the system root user.
The fix
There are two possible options: require an additional system password when executing the restore functionality from the web interface, or only allow restores from the command line.
Additional system password
The first solution is to require an additional system password to be entered when restoring from the web interface. The additional system password is the password for the command line user. By default, this is the password of the "sa" user. Restoring now requires the correct privileges.
Disable restore from the GUI
The second solution is to completely remove the restore functionality from the web interface. Restores can now only be done from the command line.
For CipherMail Gateway 4.8 and Webmail Messenger 3.2 we opted for the first solution, i.e, the password for the "sa" user must be entered when restoring. For older releases we opted for the second solution, i.e., disable the restore functionality from the web interface. A patch for older releases is now available. See below for instructions on how to apply this patch.
Check your backups
With both solutions, the administrator is still able to restore a rogue backup. This time however the administrator requires the correct system privileges. Any backup system which can back up system files, is vulnerable to backup manipulation. It is therefore important that backup files should only be restored if the backup file comes from a trusted source and has not been tampered with.
Weak Diffie-Hellman keys
The third vulnerability, found by our system administrator Imre Jonk, is that the default Postfix configuration uses weak Diffie-Hellman parameters. Postfix uses by default 1024 bit DH parameters which are now considered to be too weak.
Whether 1024 bit DH parameters are too weak for a specific setup depends on whether TLS is mandatory or not. With the default configuration of CipherMail, TLS is not mandatory. If an incoming or outgoing SMTP connection does not support TLS, the email is transmitted without TLS. If however TLS is mandatory, for example because DANE is in use, and the TLS connection uses Diffie-Hellman key exchange, then the TLS encryption strength might be too weak.
Stronger DH parameters are now configured in CipherMail Gateway 4.8 and Webmail Messenger 3.2. For older releases we provide a patch which will configure stronger DH parameters.
Should I update or patch?
Whether the issues should be fixed depends on your use case. If you are the administrator and you are in full control of the gateway, i.e., you can login to the command line interface and issue commands as root, you are most likely not affected by the first two vulnerabilities. If you want to make sure the issues are fixed, you might consider running the patch and not update to a newer release. Running the patch is easier than updating to a newer release.
Patch instructions for older releases
For the CipherMail Gateway:
- Download ciphermail-gateway-cve-2020-12713.patch.run
-
Make the file executable
$ chmod +x ciphermail-gateway-cve-2020-12713.patch.run
-
Execute the patch
$ sudo ./ciphermail-gateway-cve-2020-12713.patch.run
- Select which vulnerability should be fixed.
- Select "yes" for each issue you want to fix.
For CipherMail Webmail Messenger:
- Download ciphermail-webmail-cve-2020-12713.patch.run
-
Make the file executable
$ chmod +x ciphermail-webmail-cve-2020-12713.patch.run
-
Execute the patch
$ sudo ./ciphermail-webmail-cve-2020-12713.patch.run
- Select which vulnerability should be fixed.
- Select "yes" for each issue you want to fix.
Patch instructions for older releases
Customers with a support contract who have additional questions or need help fixing the issue, either by running the patch or updating, please Contact Us.
Credits
We like to thank Pablo A. Zurro from Core Security for reporting the privilege escalation issues ethically.