Impact
A vulnerability has been discovered in mailcow. The vulnerability, allows an attacker to manipulate internal Dovecot variables by using specially crafted passwords during the authentication process.
The issue arises from the behavior of the passwd-verify.lua script, which is responsible during login. Upon a successful login, the script returns a response in the format of "password=", indicating the successful authentication.
By crafting a password with additional key-value pairs appended to it, an attacker can manipulate the returned string and influence the internal behavior of Dovecot. For example, using the password "123 mail_crypt_save_version=0" would cause the passwd-verify.lua script to return the string "password=123 mail_crypt_save_version=0". Consequently, Dovecot will interpret this string and set the internal variables accordingly, leading to unintended consequences.
By changing the password to a specific payload, the vulnerability can be exploited during the login process using the special-crafted password. Successful exploitation could result in unauthorized access to user accounts, bypassing security controls, or other malicious activities.
Patches
Versions including 2023-05a and later
Workarounds
There is NO workaround ! This exploit can be used by any user who can change their password (enabled by default and not changeable within mailcow).
References
https://github.com/VladimirBorisov/CVE_proposal/blob/main/MailcowUserPassword.md
VladimirBorisov Finder
Impact
A vulnerability has been discovered in mailcow. The vulnerability, allows an attacker to manipulate internal Dovecot variables by using specially crafted passwords during the authentication process.
The issue arises from the behavior of the passwd-verify.lua script, which is responsible during login. Upon a successful login, the script returns a response in the format of "password=", indicating the successful authentication.
By crafting a password with additional key-value pairs appended to it, an attacker can manipulate the returned string and influence the internal behavior of Dovecot. For example, using the password "123 mail_crypt_save_version=0" would cause the passwd-verify.lua script to return the string "password=123 mail_crypt_save_version=0". Consequently, Dovecot will interpret this string and set the internal variables accordingly, leading to unintended consequences.
By changing the password to a specific payload, the vulnerability can be exploited during the login process using the special-crafted password. Successful exploitation could result in unauthorized access to user accounts, bypassing security controls, or other malicious activities.
Patches
Versions including 2023-05a and later
Workarounds
There is NO workaround ! This exploit can be used by any user who can change their password (enabled by default and not changeable within mailcow).
References
https://github.com/VladimirBorisov/CVE_proposal/blob/main/MailcowUserPassword.md