[SECURITY-L] CAIS-Alerta: Vulnerabilidade no GNU/Mailman expoe senha dos assinantes
CSIRT - UNICAMP
security em unicamp.br
Sex Maio 28 13:36:00 -03 2004
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no GNU/Mailman expoe senha dos assinantes
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Fri, 28 May 2004 09:59:00 -0300 (BRST)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS alerta que versoes anteriores a 2.1.5 do GNU/Mailman, um
gerenciador de listas de discussao amplamente utilizado, possuem uma
vulnerabilidade que permite que um assinante de uma dada lista gerenciada
por este sistema recupere a senha de qualquer outro assinante atraves de
comandos enviados por e-mail.
Uma mensagem enviada para nomedalista-request em example.net contendo as
linhas:
password address=$assinante_vitima
password address=$assinante_atacante
retornara as senhas tanto do assinante-vitima quanto do
assinante-atacante.
Uma das implicacoes mais criticas desta e de outras vulnerabilidades que
expoem senhas esta em se descobrir a senha de um usuario e confronta-la
contra outros sistemas. Num caso extremo em que o usuario atacado utilize
sempre a mesma senha isto pouparia trabalho de um atacante, uma vez que
ataques de engenharia social ou ferramentas de quebra de senha por forca
bruta, por exemplo, nao seriam necessarios.
Sistemas afetados:
. GNU/Mailman com versoes anteriores a 2.1.5
Correcoes disponiveis:
Recomenda-se atualizar a versao do GNU/Mailman para a ultima oferecida por
sua distribuicao. Se sua distribuicao ainda nao tiver disbonibilizado a
versao 2.1.5 do GNU/Mailman ela pode ser obtida em:
. Mailman, the GNU Mailing List Manager
http://www.gnu.org/software/mailman
Mais informacoes:
. [Mailman-Users] RELEASED Mailman 2.1.5
http://www.mail-archive.com/mailman-users@python.org/msg24544.html
. Nessus Plugins: Mailman password retrieval
http://cgi.nessus.org/plugins/dump.php3?id=12253
Identificador CVE: CAN-2004-0412 (http://cve.mitre.org)
O CAIS recomenda que os administradores mantenham seus sistemas e
aplicativos sempre atualizados, de acordo com as ultimas versoes e
correcoes oferecidas pelos fabricantes.
O CAIS ainda recomenda, especificamente neste caso, que:
. adminitradores de listas de discussao que utilizem do software
gerenciador GNU/Mailman assinem a lista de anuncios:
Mailman-announce -- Announce-only list for Mailman releases and news
http://mail.python.org/mailman/listinfo/mailman-announce
. usuarios evitem repetir senhas ao longo de diversos sistemas.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) #
# Rede Nacional de Ensino e Pesquisa (RNP) #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key #
################################################################
[Mailman-Users] RELEASED Mailman 2.1.5
* From: Barry Warsaw
* Subject: [Mailman-Users] RELEASED Mailman 2.1.5
* Date: Sat, 15 May 2004 16:33:01 -0700
Today I am releasing Mailman 2.1.5, a bug fix release that also contains
new support for the Turkish language, and a few minor new features.
Mailman 2.1.5 is a significant upgrade which should improve disk i/o
performance, administrative overhead for discarding held spams, and the
behavior of bouncing member disables. This version also contains a fix
for an exploit that could allow 3rd parties to retrieve member
passwords. It is thus highly recommended that all existing sites
upgrade to the latest version.
The full source tarball, as well as a patch against Mailman 2.1.4 have
been made available. See
http://sourceforge.net/project/showfiles.php?group_id=103
for links to downloads.
NOTE: You will want to read the UPGRADING file for important information
regarding upgrading from earlier version to Mailman 2.1.5. A number of
internal file formats have changed so you must shut down web and mail
access to Mailman before you upgrade. You will also want to re-run
configure (i.e. config.status) before you run "make install".
See also:
http://www.list.org
http://mailman.sf.net
http://www.gnu.org/software/mailman
Finally, a personal note. I have left Zope Corporation to join Secure
Software, a company started by John Viega -- Mailman's original author.
Although I won't be working on Mailman in any official capacity, it is
exciting to be working with him and the rest of the folks there. I
leave Zope Corp on a positive note and wish nothing but success for them
too.
You can find Secure Software on the web at
http://www.securesoftware.com. Please continue to use my
[EMAIL PROTECTED] email address for all Mailman correspondences. I don't
expect much to change for the Mailman project at all.
Enjoy,
- -Barry
2.1.5 (15-May-2004)
- The admindb page has a checkbox that allows you to discard all
held
messages that are marked Defer. On heavy lists with lots of spam
holds,
this makes clearing them much faster.
- The qrunner system has changed to use only one file per message.
However the configuration variable METADATA_FORMAT has been
removed, and
support for SAVE_MSGS_AS_PICKLES has been changed. The latter no
longer
writes messages as plain text. Instead, they are stored as
pickles of
plain strings, using the text pickle format. This still makes
them
non-binary files readable and editable by humans.
bin/dumpdb also works differently. It will print out the entire
pickle
file (with more verbosity) and if used with 'python -i', it binds
msg to
a list of all objects found in the pickle file.
Removed from Defaults.py: PENDINGDB_LOCK_TIMEOUT,
PENDINGDB_LOCK_ATTEMPTS, METAFMT_MARSHAL, METAFMT_BSDDB_NATIVE,
METAFMT_ASCII, METADATA_FORMAT
- The bounce processor has been redesigned so that now when an
address's
bounce score reaches the threshold, that address will be sent a
probe
message. Only if the probe bounces will the address be disabled.
The
score is reset to zero when the probe is sent. Also, bounce
events are
now kept in an event file instead of in memory. This should help
contain the bloat of the BounceRunner.
New supporting variables in Defaults.py: VERP_PROBE_FORMAT,
VERP_PROBE_REGEXP
REGISTER_BOUNCES_EVERY is promoted to a Defaults.py variable.
- The pending database has been changed from a global pickle file,
to a
unique pickle file per mailing list.
- The 'request' database file has changed from a marshal, to the
more
secure pickle format.
- Disallow multiple password retrievals.
- The email package is updated to version 2.5.5.
- New language: Turkish.
- Bugs and patches: 869644, 869647 (NotAMemberError for old cookie
data),
878087 (bug in Slovenian catalog), 899263 (ignore duplicate
pending
ids), 810675 (discard all defers button)
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBQLc3pukli63F4U8VAQG22QQAtSRGGB3YU5LBwdZyznttK0okUfgk5voR
yRAVHtFAg+jUJNj9ub8bl3c6t4lI9XuFIq8XKpyUAK6CJJxOgjZ+uQbCh4GRXDT6
qGYJMpdpeeq9j21iexgHx4Kbd3YM6stnujWH3HV/jHZwVOdC4xDTXuMqNFBeuGls
7tp1EihOVUE=
=GONY
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L