Univention Bugzilla – Bug 41336
Fetchmail passwords are shown in plaintext if searched via UMC
Last modified: 2021-06-23 07:29:12 CEST
Created attachment 7683 [details] Passwords are shown in plain text UMC shows the fetchmail passwords in plain text in the grid if the admin searches for the fetchmail's password property (see screenshot). It should be sufficient to disable the search for this property/extended attribute.
(In reply to Sönke Schwardt-Krummrich from comment #0) > Created attachment 7683 [details] > Passwords are shown in plain text > > UMC shows the fetchmail passwords in plain text in the grid if the admin > searches for the fetchmail's password property (see screenshot). > It should be sufficient to disable the search for this property/extended > attribute. No... We don't prevent searching for such attributes. We only don't display them. We need LDAP-ACL's which prevent reading the password. Why is it stored in plaintext?
The LDAP-ACL's exists: attributetype ( 1.3.6.1.4.1.10176.1057.1.5 NAME 'univentionFetchmailPasswd' SUBSTR caseIgnoreSubstringsMatch DESC 'password' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) access to attrs=univentionFetchmailPasswd by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,@%@ldap/base@%@" write by set="user/univentionService & [Fetchmail]" write by dn.base="cn=admin,@%@ldap/base@%@" write by * none As we have got a lot of unescaped search filters one is able to brute-force passwords very easily as the attribute has "SUBSTR caseIgnoreSubstringsMatch". If a unauthenticated user can trigger a search filter injection somewhere where e.g. the machine account is used for searching he is able to brute passwords within a very short time. We should never allow substring searches on password attributes and should never store passwords in plaintext.
(In reply to Florian Best from comment #1) > No... We don't prevent searching for such attributes. We only don't display > them. UMC allows to disable searching for properties. So the property name does not pop up in the search dialog. I admit that this is rather security by obscurity but its a first step since the whole concept is broken. > We need LDAP-ACL's which prevent reading the password. As you mentioned below, the LDAP access is already limited. Allowing writing the LDAP attribute but not reading (via LDAP ACLs) might break the UDM/UMC since it looks like the LDAP attribute is unset if no read permission is given. > Why is it stored in plaintext? fetchmail requires plaintext passwords. And at the moment of implementation there was a) only a single master scenario and b) there was/is currently no implemented easy way to distribute sensitive data in encrypted form via LDAP replication so the data is only decryptable by certain systems or services.
The ACL file should also be more at the top. Currently the UCS@school ACL's are prior to the fetchmail ACL's which might result in rules to be overridden.
Bug #33648 can be fixed along when fixing this.
OK, I fixed 2 of the 3 issues: 1. The attribute is now hidden from UMC search fields 2. The attribute is not brute-forceable via ldapsearch filters anymore and comparision is done case sensitive univention-fetchmail (10.0.1-1): r78916 | Bug #41336: protect univentionFetchmailPasswd attribute against substring brute force through ldap searches and hide it in UMC univention-fetchmail.yaml: r78918 | YAML Bug #41336 Bug #33648 3. (not fixed): The ACL's disallow read access by every object except for Domain Admins and objects with univentionService=fetchmail. But the problem is the order of the ACL's. The UCS@school ACL's for example stop rule evaluation so that every Memberserver (Member-Edukativnetz / Member-Verwaltungsnetz) is able to read the plain text password of global users (not school users!), e.g.: # ldapsearch -LLL -D cn=member,cn=computers,dc=school,dc=local -w univention univentionFetchmailPasswd=* univentionFetchmailPasswd dn: uid=Aa,cn=users,dc=school,dc=local univentionFetchmailPasswd: univention Fixing this would be a regression. @Sönke we should talk about this prior.
The LDAP ACL's have been moved to the top of the ACL defintions (above UCS@school). univention-fetchmail (10.0.1-2): r78960 | Bug #41336: move LDAP ACL's to the top univention-fetchmail.yaml: r78961 | YAML Bug #41336
OK: code changes OK: update: conf rename, ext attr modification - all very clean - nice! OK: advisory OK. manual test: root@m120:~# dpkg -l univention-fetchmail-schema ii univention-fetchmail-schema 10.0.0-2A~4.2.0.2017 ==> OLD packages root@m120:~# grep -n univentionFetchmailPasswd /etc/ldap/slapd.conf 582:access to attrs=univentionFetchmailPasswd root@m120:~# systemctl stop univention-directory-listener.service root@m120:~# udm users/user modify --dn uid=student1,cn=schueler,cn=users,ou=SchuleEins,dc=uni,dc=dtr --set fetchmailUsername=FMusername --set fetchmailPassword=FMpassword --set fetchmailProtocol=IMAP --set fetchmailServer=my.server --set fetchmailUseSSL=1 --set fetchmailKeep=1 Object modified: uid=student1,cn=schueler,cn=users,ou=SchuleEins,dc=uni,dc=dtr root@m120:~# udm users/user modify --dn uid=test1,cn=users,dc=uni,dc=dtr --set fetchmailUsername=FMusername2 --set fetchmailPassword=FMpassword2 --set fetchmailProtocol=IMAP --set fetchmailServer=my.server2 --set fetchmailUseSSL=1 --set fetchmailKeep=1 Object modified: uid=test1,cn=users,dc=uni,dc=dtr root@m120:~# univention-ldapsearch -xLLL univentionFetchmailPasswd=* univentionFetchmailPasswddn: uid=test1,cn=users,dc=uni,dc=dtr univentionFetchmailPasswd: FMpassword2 dn: uid=student1,cn=schueler,cn=users,ou=SchuleEins,dc=uni,dc=dtr univentionFetchmailPasswd: FMpassword ==> OK cn=admin can see passwords root@m120:~# udm computers/memberserver create --set name=member4 --set password=univention --position cn=computers,ou=SchuleEins,dc=uni,dc=dtr --append groups=cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=uni,dc=dtr --append groups=cn=OUschuleeins-Member-Edukativnetz,cn=ucsschool,cn=groups,dc=uni,dc=dtr Object created: cn=member4,cn=computers,ou=SchuleEins,dc=uni,dc=dtr root@m120:~# ldapsearch -xLLL -D cn=member4,cn=computers,ou=SchuleEins,dc=uni,dc=dtr -w univention univentionFetchmailPasswd=* univentionFetchmailPasswd dn: uid=test1,cn=users,dc=uni,dc=dtr univentionFetchmailPasswd: FMpassword2 ==> BAD (old): school-member can read passwords root@m120:~# univention-upgrade --ignoreterm --ignoressh The following packages will be upgraded: univention-fetchmail-schema,univention-fetchmail root@m120:~# grep -n univentionFetchmailPasswd /etc/ldap/slapd.conf188:access to attrs=univentionFetchmailPasswd root@m120:~# udm settings/extended_attribute list --filter cn=UniventionFetchmail-User-Password | grep doNotSearch doNotSearch: 1 root@m120:~# ldapsearch -xLLL -D cn=member4,cn=computers,ou=SchuleEins,dc=uni,dc=dtr -w univention univentionFetchmailPasswd=* univentionFetchmailPasswd root@m120:~# ==> OK (new): school-member cannot read passwords Also did test with non-school member, but that couldn't read the password bwefore the change already.
<http://errata.software-univention.de/ucs/4.2/9.html>