Bug 1192741 (CVE-2021-43332) - VUL-0: CVE-2021-43332: mailman: a list moderator can crack the list admin password encrypted in a CSRF token
Summary: VUL-0: CVE-2021-43332: mailman: a list moderator can crack the list admin pas...
Status: RESOLVED FIXED
Alias: CVE-2021-43332
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/314931/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-43332:7.4:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-16 10:12 UTC by Thomas Leroy
Modified: 2024-05-15 13:39 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2021-11-16 10:12:19 UTC 
CVE-2021-43332

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page
contains an encrypted version of the list admin password. This could potentially
be cracked by a moderator via an offline brute-force attack.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43332
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43332
http://www.cvedetails.com/cve/CVE-2021-43332/
https://bugs.launchpad.net/mailman/+bug/1949403
https://mail.python.org/archives/list/mailman-announce@python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/
Comment 1 Thomas Leroy 2021-11-16 10:12:35 UTC 
Affected codestreams:
- SUSE:SLE-11:Update	                 2.1.15-9.6.26.1	
- SUSE:SLE-12:Update 	                 2.1.17-3.8.1
- openSUSE:Leap:15.2:Update              2.1.35
- openSUSE:Backports:SLE-15-SP2:Update   2.1.35
Comment 2 Thomas Leroy 2021-11-16 10:19:27 UTC 
Two different patches are mentioned for this bug: the one mentioned in the release announce [0] and the one mentioned in the bug report [1]. It seems that [1]is a corrected version of [0], therefore, it looks like the correct patch is [1] and not [0]. But it is not clear for me.

[0] 
https://mail.python.org/archives/list/mailman-announce@python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/attachment/5/patch_to_fix_1949403.txt

[1]
https://bugs.launchpad.net/mailman/+bug/1949403/+attachment/5540558/+files/patch_to_fix_1949403
Comment 5 Swamp Workflow Management 2022-05-31 10:18:19 UTC 
SUSE-SU-2022:1886-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1191959,1192735,1192741,1193316
CVE References: CVE-2021-42096,CVE-2021-43331,CVE-2021-43332,CVE-2021-44227
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    mailman-2.1.17-3.26.1
SUSE OpenStack Cloud Crowbar 8 (src):    mailman-2.1.17-3.26.1
SUSE OpenStack Cloud 9 (src):    mailman-2.1.17-3.26.1
SUSE OpenStack Cloud 8 (src):    mailman-2.1.17-3.26.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    mailman-2.1.17-3.26.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    mailman-2.1.17-3.26.1
SUSE Linux Enterprise Server 12-SP5 (src):    mailman-2.1.17-3.26.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    mailman-2.1.17-3.26.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    mailman-2.1.17-3.26.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    mailman-2.1.17-3.26.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    mailman-2.1.17-3.26.1
HPE Helion Openstack 8 (src):    mailman-2.1.17-3.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.