1 Topic by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,071

Topic: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

Dear all,

We just found a critical security issue of iRedAdmin (both open source edition and iRedAdmin-Pro) on FreeBSD and OpenBSD system, please upgrade it immediately.

Note: iRedMail-0.9.5-1 was repacked with new iRedAdmin release (0.6.2) which contains this fix today.

The Issue

iRedAdmin calls an incorrect function to verify BCRYPT password hash while admin trying to login, if the admin account exists, iRedAdmin accepts any password and the admin logs in.

Affected Linux/BSD distributions

BCRYPT is available on FreeBSD and OpenBSD, but not Linux, so this issue impacts only FreeBSD and OpenBSD systems.

Affected iRedAdmin versions

This bug was introduced in iRedAdmin (both open source edition and iRedAdmin-Pro) on May 3, 2016, versions released after May 3 contain this bug:

  • iRedAdmin-0.6.1 (shipped by iRedMail-0.9.5-1)

  • iRedAdmin-Pro-SQL-2.4.0

  • iRedAdmin-Pro-LDAP-2.6.0

How to fix it

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by esva2 (edited by esva2 2016-10-13 20:31:56)

  • esva2
  • Member
  • Offline
  • Registered: 2016-10-13
  • Posts: 6

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

Hi, what change need to do in iRedAdmin-Pro code to FIX this mannualy without update to 2.4.1 version?

Thanks a lot.

3 Reply by brix

  • brix
  • Member
  • Offline
  • Registered: 2014-01-22
  • Posts: 30

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

The patch is in this post:
http://www.iredmail.org/forum/post51813.html#p51813

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,071

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

For iRedAdmin-Pro, it's ok to apply the patch. But iRedAdmin-0.6.2 (open source edition) contains some additional improvements and bug fixes, it's recommended to upgrade it instead of applying the patch.

5 Reply by esva2

  • esva2
  • Member
  • Offline
  • Registered: 2016-10-13
  • Posts: 6

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

Hi, we try to patch, but we get back this error:

--
return bcrypt.checkpw(plain_password, challenge_password)
AttributeError: 'module' object has no attribute 'checkpw'
--

Us we understand this because we have "py-bcrypt-2.0.0", but support for checkpw  convenience method for verifying a password is supported only from version 3.1.0. Is any sollution without upgrading bcrypt to v.3.1 ???

Thanks

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,071

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

esva2 wrote:

Us we understand this because we have "py-bcrypt-2.0.0", but support for checkpw  convenience method for verifying a password is supported only from version 3.1.0. Is any sollution without upgrading bcrypt to v.3.1 ???

If you're running FreeBSD, you can get py-bcrypt 0.4 with the latest ports tree:
http://www.freshports.org/security/py-bcrypt/

7 Reply by esva2

  • esva2
  • Member
  • Offline
  • Registered: 2016-10-13
  • Posts: 6

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

No, we use OpenBSD 5.9 sad

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,071

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

esva2 wrote:

No, we use OpenBSD 5.9 sad

Then you have to upgrade the py-bcrypt manually with 'easy_install' or 'pip'. For example:

easy_install -U py-bcrypt

9 Reply by esva2

  • esva2
  • Member
  • Offline
  • Registered: 2016-10-13
  • Posts: 6

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

ZhangHuangbin hi, we successfully upgrade  py-bcrypt, but now we get this error:

return bcrypt.checkpw(plain_password, challenge_password)
ValueError: Invalid hashed_password salt

What can be vrong

ZhangHuangbin wrote:
esva2 wrote:

No, we use OpenBSD 5.9 sad

Then you have to upgrade the py-bcrypt manually with 'easy_install' or 'pip'. For example:

easy_install -U py-bcrypt

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,071

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

Hi esva2,

Which version of py-bcrypt are you using?

11 Reply by esva2

  • esva2
  • Member
  • Offline
  • Registered: 2016-10-13
  • Posts: 6

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

ZhangHuangbin wrote:

Hi esva2,

Which version of py-bcrypt are you using?

# pip2.7 list
py-bcrypt (0.4)

12 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,071

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

Seems there's confusion about 'py-bcrypt' (https://pypi.python.org/pypi/bcrypt) and another module 'bcrypt' (https://pypi.python.org/pypi/bcrypt). Please remove 'py-bcrypt' and install 'bcrypt' instead:

easy_install -U bcrypt

iRedMail uses the 'bcrypt' module.

13 Reply by esva2

  • esva2
  • Member
  • Offline
  • Registered: 2016-10-13
  • Posts: 6

Re: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD

ZhangHuangbin wrote:

Seems there's confusion about 'py-bcrypt' (https://pypi.python.org/pypi/bcrypt) and another module 'bcrypt' (https://pypi.python.org/pypi/bcrypt). Please remove 'py-bcrypt' and install 'bcrypt' instead:

easy_install -U bcrypt

iRedMail uses the 'bcrypt' module.

ZhangHuangbin,

Thank You,

Now it work fine, Your solution was help.