Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
CVE-2021-3618 fix
[ Reason ]
fixes ALPACA attack CVE-2021-3618:
ALPACA is an application layer protocol content confusion attack, exploiting
TLS servers implementing different protocols but using compatible certificates,
such as multi-domain or wildcard certificates. A MiTM attacker having access
to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain
to another, resulting in a valid TLS session. This breaks the authentication of
TLS and cross-protocol attacks may be possible where the behavior of one
protocol service may compromise the other at the application layer.
[ Impact ]
Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
in Exim, specifies the number of errors after which the connection is closed.
[ Tests ]
Patch sets default '5' error-cmd-tries.
It means, the server must close connection after 5 'bad commands'.
config:
~~~
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
mail {
auth_http localhost/cgi-bin/nginxauth.cgi;
server {
listen localhost:25;
protocol smtp;
proxy on;
smtp_auth login plain cram-md5;
}
}
~~~
~~~
# telnet 0 25
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
220 localtest ESMTP ready
badcommand1
500 5.5.1 Invalid command
badcommand2
500 5.5.1 Invalid command
badcommand3
500 5.5.1 Invalid command
badcommand4
500 5.5.1 Invalid command
badcommand5
500 5.5.1 Invalid command
Connection closed by foreign host.
root@dev:~/nginx/nginx-1.18.0#
~~~
[ Risks ]
A MiTM attacker having access to victim's traffic at the TCP/IP layer can
redirect traffic from one subdomain to another, resulting in a valid TLS
session. This breaks the authentication of TLS and cross-protocol attacks may
be possible where the behavior of one protocol service may compromise the other
at the application layer.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
in Exim, specifies the number of errors after which the connection is closed.
diff -Nru nginx-1.18.0/debian/changelog nginx-1.18.0/debian/changelog
--- nginx-1.18.0/debian/changelog 2022-03-15 21:36:18.000000000 +0100
+++ nginx-1.18.0/debian/changelog 2022-05-14 08:27:08.000000000 +0200
@@ -1,3 +1,11 @@
+nginx (1.18.0-6.1+deb11u2) bullseye; urgency=medium
+
+ * d/patches/CVE-2021-3618.patch: Include upstream changeset from NGINX
+ that adds mitigations into the Mail module for CVE-2021-3618.patch.
+ (Closes: #991328)
+
+ -- Jan Mojžíš <jan.moj...@gmail.com> Sat, 14 May 2022 08:27:08 +0200
+
nginx (1.18.0-6.1+deb11u1) bullseye; urgency=medium
* Backport upstream bugfix for segfault in nginx core >= 1.15.0 when
diff -Nru nginx-1.18.0/debian/patches/CVE-2021-3618.patch
nginx-1.18.0/debian/patches/CVE-2021-3618.patch
--- nginx-1.18.0/debian/patches/CVE-2021-3618.patch 1970-01-01
01:00:00.000000000 +0100
+++ nginx-1.18.0/debian/patches/CVE-2021-3618.patch 2022-05-14
08:23:49.000000000 +0200
@@ -0,0 +1,84 @@
+Subject: Patch mitigation for CVE-2021-3618
+ Mail: max_errors directive.
+ .
+ Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+ in Exim, specifies the number of errors after which the connection is closed.
+Origin: upstream, http://hg.nginx.org/nginx/rev/ec1071830799
+Bug-Debian: https://bugs.debian.org/991328
+
+--- a/src/mail/ngx_mail.h
++++ b/src/mail/ngx_mail.h
+@@ -115,6 +115,8 @@
+ ngx_msec_t timeout;
+ ngx_msec_t resolver_timeout;
+
++ ngx_uint_t max_errors;
++
+ ngx_str_t server_name;
+
+ u_char *file_name;
+@@ -231,6 +233,7 @@
+ ngx_uint_t command;
+ ngx_array_t args;
+
++ ngx_uint_t errors;
+ ngx_uint_t login_attempt;
+
+ /* used to parse POP3/IMAP/SMTP command */
+--- a/src/mail/ngx_mail_core_module.c
++++ b/src/mail/ngx_mail_core_module.c
+@@ -85,6 +85,13 @@
+ offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+ NULL },
+
++ { ngx_string("max_errors"),
++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
++ ngx_conf_set_num_slot,
++ NGX_MAIL_SRV_CONF_OFFSET,
++ offsetof(ngx_mail_core_srv_conf_t, max_errors),
++ NULL },
++
+ ngx_null_command
+ };
+
+@@ -163,6 +170,8 @@
+ cscf->timeout = NGX_CONF_UNSET_MSEC;
+ cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+
++ cscf->max_errors = NGX_CONF_UNSET_UINT;
++
+ cscf->resolver = NGX_CONF_UNSET_PTR;
+
+ cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@
+ ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+ 30000);
+
++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+
+ ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+
+--- a/src/mail/ngx_mail_handler.c
++++ b/src/mail/ngx_mail_handler.c
+@@ -871,7 +871,20 @@
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
+ }
+
+- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++
++ s->errors++;
++
++ if (s->errors >= cscf->max_errors) {
++ ngx_log_error(NGX_LOG_INFO, c->log, 0,
++ "client sent too many invalid commands");
++ s->quit = 1;
++ }
++
++ return rc;
++ }
++
++ if (rc == NGX_IMAP_NEXT) {
+ return rc;
+ }
+
diff -Nru nginx-1.18.0/debian/patches/series nginx-1.18.0/debian/patches/series
--- nginx-1.18.0/debian/patches/series 2021-05-29 16:21:37.000000000 +0200
+++ nginx-1.18.0/debian/patches/series 2022-05-14 08:24:09.000000000 +0200
@@ -2,3 +2,4 @@
0003-define_gnu_source-on-other-glibc-based-platforms.patch
CVE-2019-20372.patch
Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
+CVE-2021-3618.patch
