SOLVED Dovecot CVE-2019-3814 (cPanel & WHM is unaffected by default)

[cPanelMichael]

Hello Everyone,

Dovecot issued the following security advisory earlier today:

CVE-2019-3814: Suitable client certificate can be used to login as other user

This vulnerability is applicable to Dovecot installations with auth_ssl_require_client_cert and auth_ssl_username_from_cert enabled as configuration options as seen in the code block below:

auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes

Both of these options are commented out (disabled) by default in the /etc/dovecot/dovecot.conf file on systems using cPanel & WHM:

# grep auth_ssl_require_client_cert /etc/dovecot/dovecot.conf
# auth_ssl_require_client_cert=yes in auth section.

# grep auth_ssl_username_from_cert /etc/dovecot/dovecot.conf
# auth_ssl_username_from_cert=yes.

Thus, cPanel & WHM systems are unaffected by this vulnerability unless the Dovecot configuration file was altered to enable the options noted above. The following command will allow you to quickly check if either of these options are enabled on your system:

doveconf -n | egrep 'auth_ssl_require_client_cert|auth_ssl_username_from_cert'

Here's how the output will look on unaffected systems:

# doveconf -n | egrep 'auth_ssl_require_client_cert|auth_ssl_username_from_cert'
#

Here's how the output will look on affected systems:

# doveconf -n | egrep 'auth_ssl_require_client_cert|auth_ssl_username_from_cert'
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes

We're making an effort to publish the updated Dovecot version (2.3.4.1) as part of cPanel & WHM version 78 (case CPANEL-25461). I'll update this thread again once the updated version is published.

Thank you.

 

[cPanelMichael]

Hello Everyone,

Dovecot version 2.3.4.1 was published today as part of cPanel & WHM version 78.0.10:

[security] Fixed case CPANEL-25461: Update cpanel-dovecot to 2.3.4.1-1 for CVE-2019-3814.

Thank you.