SOLVED Dovecot CVE-2019-3814 (cPanel & WHM is unaffected by default)

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello Everyone,

Dovecot issued the following security advisory earlier today:

CVE-2019-3814: Suitable client certificate can be used to login as other user

This vulnerability is applicable to Dovecot installations with auth_ssl_require_client_cert and auth_ssl_username_from_cert enabled as configuration options as seen in the code block below:

Code:
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
Both of these options are commented out (disabled) by default in the /etc/dovecot/dovecot.conf file on systems using cPanel & WHM:

Code:
# grep auth_ssl_require_client_cert /etc/dovecot/dovecot.conf
# auth_ssl_require_client_cert=yes in auth section.

# grep auth_ssl_username_from_cert /etc/dovecot/dovecot.conf
# auth_ssl_username_from_cert=yes.
Thus, cPanel & WHM systems are unaffected by this vulnerability unless the Dovecot configuration file was altered to enable the options noted above. The following command will allow you to quickly check if either of these options are enabled on your system:

Code:
doveconf -n | egrep 'auth_ssl_require_client_cert|auth_ssl_username_from_cert'
Here's how the output will look on unaffected systems:

Code:
# doveconf -n | egrep 'auth_ssl_require_client_cert|auth_ssl_username_from_cert'
#
Here's how the output will look on affected systems:

Code:
# doveconf -n | egrep 'auth_ssl_require_client_cert|auth_ssl_username_from_cert'
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
We're making an effort to publish the updated Dovecot version (2.3.4.1) as part of cPanel & WHM version 78 (case CPANEL-25461). I'll update this thread again once the updated version is published.

Thank you.
 
Last edited:
  • Like
Reactions: cPanelLauren

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello Everyone,

Dovecot version 2.3.4.1 was published today as part of cPanel & WHM version 78.0.10:

[security] Fixed case CPANEL-25461: Update cpanel-dovecot to 2.3.4.1-1 for CVE-2019-3814.

Thank you.