CVE-2021-28374 in courier-authlib
Summary
by MITRE • 03/15/2021
The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowing an attacker to read user information. This may include a cleartext password in some configurations. In general, it includes the user's existence, uid and gids, home and/or Maildir directory, quota, and some type of password information (such as a hash).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/01/2021
The vulnerability identified as CVE-2021-28374 affects the Debian courier-authlib package version 0.71.1-2 and earlier, representing a critical security flaw in the Courier Authentication Library that has significant implications for system integrity and user data protection. This issue stems from improper permission settings on a critical system directory, specifically the /run/courier/authdaemon directory, which is created during the authentication process. The weakness in directory permissions creates an exploitable condition that allows unauthorized users to access sensitive authentication information, potentially compromising the entire authentication infrastructure of systems utilizing this package.
The technical flaw manifests through the creation of the /run/courier/authdaemon directory with insufficiently restrictive permissions, typically allowing world-readable access. This directory serves as a temporary storage location for authentication daemon processes and contains crucial user account information that is essential for system authentication mechanisms. When this directory lacks proper access controls, it becomes accessible to any user on the system, creating a privilege escalation vector that can be exploited by attackers with minimal privileges to gain unauthorized access to authentication data. The vulnerability is particularly concerning because it exposes not only user existence information but also includes sensitive data elements such as user identifiers, group memberships, home directory paths, mail storage locations, quota settings, and password information in various formats including cleartext representations.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates a foundation for more sophisticated attacks within the authentication ecosystem. An attacker who gains access to this directory can extract comprehensive user account information that enables them to craft targeted attacks against specific users or perform broader enumeration activities across the system. The presence of cleartext passwords in some configurations makes this vulnerability particularly dangerous, as it eliminates the need for additional cracking or exploitation techniques. According to CWE classification, this vulnerability maps to CWE-732: Incorrect Permission Assignment for Critical Resource, which specifically addresses inadequate access control mechanisms for important system resources. The vulnerability also aligns with ATT&CK technique T1078.002: Valid Accounts, as it provides attackers with legitimate account information that can be used to establish persistent access to systems.
The implications of this vulnerability are further amplified by the fact that it affects a core authentication library component that is widely deployed across various server environments. Systems using courier-authlib for email authentication, including mail servers and authentication services, become vulnerable to reconnaissance and credential theft attacks. The weak permissions on the authdaemon directory create a persistent security risk that remains active until the package is updated to version 0.71.1-2 or later, which implements proper access controls for the directory. Organizations relying on courier-authlib for authentication services should immediately assess their deployment status and implement remediation measures, including package updates and manual permission corrections for existing installations. The vulnerability underscores the importance of proper privilege separation and access control implementation in authentication systems, as even temporary directories containing authentication data require stringent security controls to prevent unauthorized access to sensitive user information.