CVE-2019-19783

Vulnerability

In Cyrus IMAP, the function autosieve_createfolder() in imap/lmtp_sieve.c mishandles folder creation when a sieve script uses a fileinto directive with the :create argument. Affected versions are Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8 [1][3]. The vulnerability is exploitable if sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x). Specifically, in 2.5+ the anysievefolder option must be enabled (default: off), and in 3.0+ the sieve_extensions option must include the mailbox extension (default: on) and the fileinto directive must contain the :create argument [1].

Exploitation

An attacker with a mail account on the service uploads a crafted sieve script that uses a fileinto directive with the :create argument, targeting any valid mailbox name on the server. When mail is processed by lmtpd, the script triggers autosieve_createfolder() to create the specified mailbox. Due to the flaw, the mailbox is created with administrator privileges, bypassing normal ACL checks [1]. The attacker does not require any special network access beyond being an authenticated mail user.

Impact

A successful exploit allows the attacker to create any mailbox on the server, with ACL inherited from the parent mailbox [1]. This could lead to unauthorized access to sensitive information or disruption of service. The Ubuntu security notice states that a local attacker could use this to obtain sensitive information [2].

Mitigation

The vulnerability is fixed in Cyrus IMAP versions 2.5.15 [3] and 3.0.13 [1]. Users should upgrade to these releases or later. For 3.1.x, upgrade to a fixed version (e.g., 3.1.9 or later). As a workaround, administrators can disable sieve script uploading or, in 2.5.x, disable the anysievefolder option; in 3.0.x, remove the mailbox extension from sieve_extensions [1][3]. Ubuntu packages were updated in USN-4566-1 [2].