SOLVED Warning when changing email passwords.

[Secmas]

Yesterday I had a very big issue when a customer called me for help regarding an employee that he had to fire and wanted that all the emails that the employee had on his account should not be deleted by the employee.

I told him that he could do a backup of all the emails prior to tell the employee that he will be ceased. I also told him to change the email password so the customer will not have access to the account and he did it accordingly.

Well, the employee was fired and a few minutes later all the emails were gone, the account with more that 12,000 emails were empty.

My customer called me asking why the emails were deleted if the email account was changed, I couldn't answer on that moment what happened but after seeing the server logs I realized that the employee had the webmail open and even that the password was changed he had complete actions in webmail and deleted everything, all emails gone.

Thanks God he did the backup, but what I see is a security FLAW in cPanel that I have tried and is working you can do it yourself:

Try to do this yourselft for testing:
1. Open a webmail account and don't close it.
2. Go to cPanel and change the password for that account.
3. On the webmail that is still open, send emails or delete them, everything will work.

So, what happened?
It seems that cPanel is not closing connections on IMAP for the account that has changed the password and the connection that is alive could do anything.

I have reported this to cPanel but the answer that I received was not what I wanted to hear from them, so, I am telling this story for you to take care when you have any of the following scenarios:

- If an email is compromised and the hacker has the connection open in IMAP, the hacker could still send thousands of emails even if the email account has a new password. (This one is my biggest concern).

- If you don't want any one to continue using his email account right away.

For me the easy way to fix this is that cPanel could send a close IMAP connection to the account immediately when the new password is saved.

Your thoughts?

Sergio

 

[cPanelMichael]

Hello Sergio,

Thank you for taking the time to report the behavior you noticed upon changing the email account's password. It's true that users logged in via IMAP are not automatically disconnected upon the password change. We are tracking this report as part of internal case CPANEL-18265. While it looks like this will require new functionality, the case status is still open. I'll monitor the status of this case and update this thread with more information as it becomes available.

Thank you.

 

[Secmas]

Thank you, cPanelMichael.
I knew that you will be answering my thread, the answer that I received when I reported this flaw was not the one that I expected as for me or any user of cpanel if an account is compromised and we thought that changing the password will be the solution for hackers for not to use that account anymore is not true. Right now as server administrators we will have to change the password and then restart IMAP connections in order for the change to be applied. Imagine the end users, they will never get a chance to restart IMAP and the change of password will not work as the user expected.

Once again, thanks. hope we can have a fix for this very soon.

Sergio

 

[cPanelMichael]

Hi Sergio,

Your concern is absolutely understandable. I've linked this forums thread to the internal case to note your feedback. While I can't offer a specific time frame on a resolution to this case at this time, I would like to note a couple of potential workarounds for you to consider in the meantime.

1. In "WHM >> Mail Server Configuration", you could reduce the "Time to Cache Successful Logins" and/or the "Size of Authentication Cache" values. Here's a useful Dovecot document that explains how this works on the backend:

Authentication/Caching - Dovecot Wiki

The downside is that reducing these values will likely lead to a performance hit, which could be significant on systems with hundreds or thousands of active IMAP sessions at any given time.

2. You could setup a hook that runs after the UAPI::Email::passwd_pop event (this is the function that's called when changing an email account password via the cPanel UI) with a command like this:

/usr/local/cpanel/bin/manage_hooks add script /root/restart_imap --category=Cpanel --event=UAPI::Email::passwd_pop --stage=post

You'd then create and setup the "/root/restart_imap" file as a bash script that restarts IMAP and it would automatically run every time an email password is changed. The downside is that IMAP is restarted automatically upon each email password change, and thus could lead to abuse of the system should a malicious user decide to continuously change email passwords.

While neither of those workarounds are ideal solutions, it does provide you with a couple of alternatives while you await an update on the internal case. Let me know if you have any questions about either workaround. Additionally, I'll continue to monitor internal case CPANEL-18265 and update this thread as soon as new information is available.

Thank you.

 

[cPanelMichael]

Hello Sergio,

I wanted to let you know that we're planning to introduce a change in cPanel version 72 (case CPANEL-18889) to address the issue you reported. As part of the change, existing dovecot and webmaild sessions are automatically logged out when a cPanel user changes the password of the corresponding email account. Note that the current behavior will still apply when an email account user changes their own password.

Thank you.

 

[cPanelMichael]

Hello,

To update, the change is now published in cPanel version 70.0.24 as well:

Fixed case CPANEL-18889: Logout email users when the password is changed by the cPanel user.

Thank you.