Vulnerabilities > CVE-2017-8114 - Improper Privilege Management vulnerability in Roundcube Webmail
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2017-EDE53AA845.NASL description **Roundcube Webmail 1.2.5** This is a security update to the stable version 1.2. It primarily fixes a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin plus adds a few cherry-picked bug fixes from upstream versions. A detailed list of changes is shown below. It last seen 2020-06-05 modified 2017-05-09 plugin id 100034 published 2017-05-09 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100034 title Fedora 25 : roundcubemail (2017-ede53aa845) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_BCE47C894D3F11E78080A4BADB2F4699.NASL description Roundcube reports : Roundcube Webmail allows arbitrary password resets by authenticated users. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. last seen 2020-06-01 modified 2020-06-02 plugin id 100737 published 2017-06-12 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100737 title FreeBSD : roundcube -- arbitrary password resets (bce47c89-4d3f-11e7-8080-a4badb2f4699) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-933.NASL description Roundcube Webmail allows arbitrary password resets by authenticated users. The issue is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. For Debian 7 last seen 2020-03-17 modified 2017-05-08 plugin id 99999 published 2017-05-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99999 title Debian DLA-933-1 : roundcube security update NASL family Fedora Local Security Checks NASL id FEDORA_2017-7263E7D321.NASL description **Roundcube Webmail 1.2.5** This is a security update to the stable version 1.2. It primarily fixes a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin plus adds a few cherry-picked bug fixes from upstream versions. A detailed list of changes is shown below. It last seen 2020-06-05 modified 2017-07-17 plugin id 101656 published 2017-07-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101656 title Fedora 26 : roundcubemail (2017-7263e7d321) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-580.NASL description This update for roundcubemail fixes one security issues and two bugs. The following vulnerability was fixed : - CVE-2017-8114: Authenticated users may have reset arbitrary passwords (boo#1036955) The following upstream bugs were fixed : - Fix regression in LDAP fuzzy search where it always used prefix search instead - Fix bug where base_dn setting was ignored inside group_filters last seen 2020-06-05 modified 2017-05-16 plugin id 100203 published 2017-05-16 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100203 title openSUSE Security Update : roundcubemail (openSUSE-2017-580) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201707-11.NASL description The remote host is affected by the vulnerability described in GLSA-201707-11 (RoundCube: Security bypass) Authenticated users can arbitrarily reset passwords due to a problem caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. Impact : Authenticated users can bypass security restrictions and elevate privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 101342 published 2017-07-10 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/101342 title GLSA-201707-11 : RoundCube: Security bypass NASL family Fedora Local Security Checks NASL id FEDORA_2017-C8448D0CAD.NASL description **Roundcube Webmail 1.2.5** This is a security update to the stable version 1.2. It primarily fixes a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin plus adds a few cherry-picked bug fixes from upstream versions. A detailed list of changes is shown below. It last seen 2020-06-05 modified 2017-05-09 plugin id 100031 published 2017-05-09 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100031 title Fedora 24 : roundcubemail (2017-c8448d0cad)
References
- http://www.securityfocus.com/bid/98445
- http://www.securityfocus.com/bid/98445
- https://github.com/ilsani/rd/tree/master/security-advisories/web/roundcube/cve-2017-8114
- https://github.com/ilsani/rd/tree/master/security-advisories/web/roundcube/cve-2017-8114
- https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11
- https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11
- https://security.gentoo.org/glsa/201707-11
- https://security.gentoo.org/glsa/201707-11