1

Topic: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

Dear all,

We just found a critical security issue of iRedAdmin (both open source edition and iRedAdmin-Pro) on FreeBSD and OpenBSD system, please upgrade it immediately.

Note: iRedMail-0.9.5-1 was repacked with new iRedAdmin release (0.6.2) which contains this fix today.

The Issue

iRedAdmin calls an incorrect function to verify BCRYPT password hash while admin trying to login, if the admin account exists, iRedAdmin accepts any password and the admin logs in.

Affected Linux/BSD distributions

BCRYPT is available on FreeBSD and OpenBSD, but not Linux, so this issue impacts only FreeBSD and OpenBSD systems.

Affected iRedAdmin versions

This bug was introduced in iRedAdmin (both open source edition and iRedAdmin-Pro) on May 3, 2016, versions released after May 3 contain this bug:

  • iRedAdmin-0.6.1 (shipped by iRedMail-0.9.5-1)

  • iRedAdmin-Pro-SQL-2.4.0

  • iRedAdmin-Pro-LDAP-2.6.0

How to fix it

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by esva2 2016-10-13 20:31:56)

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

Hi, what change need to do in iRedAdmin-Pro code to FIX this mannualy without update to 2.4.1 version?

Thanks a lot.

3

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

The patch is in this post:
http://www.iredmail.org/forum/post51813.html#p51813

4

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

For iRedAdmin-Pro, it's ok to apply the patch. But iRedAdmin-0.6.2 (open source edition) contains some additional improvements and bug fixes, it's recommended to upgrade it instead of applying the patch.

5

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

Hi, we try to patch, but we get back this error:

--
return bcrypt.checkpw(plain_password, challenge_password)
AttributeError: 'module' object has no attribute 'checkpw'
--

Us we understand this because we have "py-bcrypt-2.0.0", but support for checkpw  convenience method for verifying a password is supported only from version 3.1.0. Is any sollution without upgrading bcrypt to v.3.1 ???

Thanks

6

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

esva2 wrote:

Us we understand this because we have "py-bcrypt-2.0.0", but support for checkpw  convenience method for verifying a password is supported only from version 3.1.0. Is any sollution without upgrading bcrypt to v.3.1 ???

If you're running FreeBSD, you can get py-bcrypt 0.4 with the latest ports tree:
http://www.freshports.org/security/py-bcrypt/

7

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

No, we use OpenBSD 5.9 sad

8

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

esva2 wrote:

No, we use OpenBSD 5.9 sad

Then you have to upgrade the py-bcrypt manually with 'easy_install' or 'pip'. For example:

easy_install -U py-bcrypt

9

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

ZhangHuangbin hi, we successfully upgrade  py-bcrypt, but now we get this error:

return bcrypt.checkpw(plain_password, challenge_password)
ValueError: Invalid hashed_password salt

What can be vrong

ZhangHuangbin wrote:
esva2 wrote:

No, we use OpenBSD 5.9 sad

Then you have to upgrade the py-bcrypt manually with 'easy_install' or 'pip'. For example:

easy_install -U py-bcrypt

10

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

Hi esva2,

Which version of py-bcrypt are you using?

11

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

ZhangHuangbin wrote:

Hi esva2,

Which version of py-bcrypt are you using?

# pip2.7 list
py-bcrypt (0.4)

12

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

Seems there's confusion about 'py-bcrypt' (https://pypi.python.org/pypi/bcrypt) and another module 'bcrypt' (https://pypi.python.org/pypi/bcrypt). Please remove 'py-bcrypt' and install 'bcrypt' instead:

easy_install -U bcrypt

iRedMail uses the 'bcrypt' module.

13

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

ZhangHuangbin wrote:

Seems there's confusion about 'py-bcrypt' (https://pypi.python.org/pypi/bcrypt) and another module 'bcrypt' (https://pypi.python.org/pypi/bcrypt). Please remove 'py-bcrypt' and install 'bcrypt' instead:

easy_install -U bcrypt

iRedMail uses the 'bcrypt' module.

ZhangHuangbin,

Thank You,

Now it work fine, Your solution was help.