Resolved Roundcube Security Issue

[learning_curve]

Via Plesk, we provide (and so have users that prefer to use) Roundcube Webmail. There's already a lot of very helpful Plesk pages, which we've used previoulsy, to make this even more secure than the default settings it is provided with.

The quickest way to make all these modifications in our case (with Ubuntu) is by editing both the <IfModule mod_headers.c> and <IfModule mod_rewrite.c> sections of this file: /etc/apache2/plesk.conf.d/roundcube.htaccess.inc and then restarting Apache. So far, no problems at all with this

However, when we run independent, rigourous security checks on the webmail sections of domains, we get this one error:
"Indicator of compromise: There is an altered version of a popular JavaScript script or framework"

This ^^ is NOT because of the htaccess modifications, because we've tested with and without these modifications.

We're on the latest release of Plesk 17.8.11 and the Roundcube provided on this is:

Package: plesk-roundcube
Status: install ok installed
Priority: extra
Section: web Installed-Size: 25295
Maintainer: Plesk <[email protected]>
Architecture: all Version: 1.3.6-ubuntu18.04.build1708180613.11
Depends: plesk-base (>= 17.8.11), psa (>= 17.8.11), plesk-web-hosting (>= 17.8.11), libapache2-mod-fcgid-psa (>= 2.3.5)
Conffiles: ~~

However, meanwhile at Roundcube

Update 1.3.8 released. 26 October 2018
We proudly announce the next service release to update the stable version 1.3.
It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8

So... unless Plesk have backported all these updates (if so, please advise) this means that we are two official stable releases and 3 months timewise, behind Roundcube.

Can somebody at Plesk answer / confirm that using this older release may be, the cause of the security error and if so, what are the workarounds and/or what is the intended release date of Plesk's Roundcube 1.3.8 (or 1.4 which is due soon )

 

[IgorG]

However, when we run independent, rigourous security checks on the webmail sections of domains, we get this one error:
"Indicator of compromise: There is an altered version of a popular JavaScript script or framework"

We recommend first, if this has not already been done, to find out if this is not false positive.

Can somebody at Plesk answer / confirm that using this older release may be, the cause of the security error

We can neither confirm nor deny this reliably, because Information about this "security error" is not enough.
If try to think it out yourself...

1. Let's say the "popular JavaScript script or framework" is jQuery. Suppose "altered version" means that the file /usr/share/psa-roundcube/program/js/jquery.min.js has been replaced.
This can only be done with root permissions. RoundCube works with roundcube_sysuser permissions. Even if it is completely compromised, it is not root. In my opinion, CVE-2018-19206 should not allow even to execute arbitrary code with the rights of roundcube_sysuser (although I don’t know exactly, this should be asked RoundCube developers).
So I do not think that this "security error" arose because of CVE-2018-19206.

2. Suppose the "altered version of a popular JavaScript script or framework" is found through a browser and only on a page that is vulnerable to XSS (a preview of a malicious attachment). Then it may well be due to CVE-2018-19206.

what are the workarounds

The vulnerability fixed in RoundCube 1.3.8 (CVE-2018-19206) is a vulnerability to stored XSS attack. It is triggered on opening a malicious email attachment. Workaround: do not click in RoundCube on attachments (from untrusted senders at least).

what is the intended release date of Plesk's Roundcube 1.3.8

It's an internal PPPM-9562 issue. But I have no any ETA of fix.

 

[trialotto]

@learning_curve (and @IgorG, for your information)

In response to your post, I first have to emphasize two things:

1 - Mentioning a Plesk related (potential) vulnerability on a open forum is not a good thing to do : it is an invitation to script kiddies (and decent hackers already know of lots of other and better methods to hack Plesk instances) ......... we do not want to invite them, do we?

2 - There is no such thing as a "independent, rigourous security check" : when it comes to mail, security is as tight as the users of the mail client or webmail client, this in the sense that nobody can prevent anybody else from doing something stupid (i.e. clicking on links cannot be prevented by a sysadmin, unless you want to re-educate all of your customers....... and every mistake your customers make, can affect the entire system maintained by the sysadmin).

In addition, I have to point out that your "rigourous security check" missed out on one particular and (very) very disturbing security issue : I will not mention it here in detail, but it is essentially that authentication to the mail server is not dependent on the domain used when authenticating via webmail clients.

If a "independent security check" already misses out on that check (and it will, it always will), then you have to rethink the added value of that check.

Now, let's turn to the main point in your post.

In essence, Plesk Team uses default packages and adds some custom config or every now and them some custom code ...... at least in most cases.

In the case of Roundcube, it is not that different : it is a choice made out of convenience, reliability and speed of future upgrades and improvements AND safety considerations.

The above means that one essentially gets the Ubuntu base package of Roundcube plus some (very minor) customization to fit Roundcube in the Plesk eco-environment.

Ubuntu packages are known to have specific version numbers that can really differ from the release versions : a difference between a Ubuntu package version and a release of (let's say) Roundcube does not mean that the Ubuntu package is not patched for various improvements, bugfixes or security fixes.

In short, the current Ubuntu package might already been patched for the specific security vulnerability ...... and if so, then is the Plesk provided Ubuntu package.

However, having said all of the above .......... I still have to remember you of the quintessence of point 2 : there is nothing that can prevent that your customers act silly and click on various links that will ultimately affect your entire system.

As a basic 101 for server infrastructure : put your mail server on a dedicated machine, in order to prevent that your mission critical servers are affected by things that you cannot prevent, such as end-customers clicking on spam links and/or spoofing and/or all kinds of other malicious stuff.

I am pretty sure that Plesk Team (or Canonical Team, maintaining Ubuntu packages) will patch Roundcube packages as soon as possible - but that still does not imply that you are safe for XSS or all other kinds of attacks.

For the remainder, I fully agree with the reaction of @IgorG ..........seems to be a false positive, a security error cannot be reliably concluded.

Regards..........

 

[learning_curve]

We recommend first, if this has not already been done, to find out if this is not false positive

Yes, we did consider this as a distinct possibility. However, to clinically and decisively do that, we would need to test Roundcube Webmail (version 1.36) exclusively and outside of Plesk, which we're not going to do (diminishing returns etc).

The fact that there's been no backporting, but PPPM-9562 already exists for version 1.38 is very useful thank you @IgorG (... but like all the other soon to be released Plesk items, please speed up the ETAs ) Once that ^^ specific upgrade has been released, we will re-test our Plesk setup in this area again. This is our current preferred option now based on your reply.

@trialotto Thank you for the valuable input. This is a forum for all kinds of discusion, so we gratefully acknowldege all the points you've made, but will peacefully agree to disagree with some of them.

 

[dahamsta]

I've had 2 reports today about Plesk Roundcube, one a takedown request by "RiskIQ" to my data centre with the following information (but zero evidence), the other via "eNom Legal" specifying that it "has been reported as redirecting to a phishing website"; I assume the latter also originates with RiskIQ. It sounds like misidentified nonsense to me, perhaps someone clicking a link in a phishing email, but I said I'd point it out here in case it's related.

the website using the domain name, [REDACTED], which is registered with eNom, Inc. and hosted by [REDACTED], is being used for a phishing attack that is endangering the public safety by attempting to fraudulently obtain personal and or sensitive data from Internet users by impersonating a trusted entity.

Specifically, the following URL(s) on [REDACTED] have been observed being used for phishing:

[REDACTED]

Now that you are aware of the phishing attack identified above, we request that you enforce your terms of service by immediately suspending, disabling, or otherwise cancelling the domain name or website in order to mitigate the damages that will inevitably otherwise result. We have a good faith basis to believe that the URL(s) identified above are being used to host phishing content as prescribed under your terms of service, and we have the authority to act on behalf of the trademark holders being impersonated regarding this matter. Thank you, in advance, for your anticipated cooperation.
​

If there's one thing I hate, it's "security professionals" that throw claims and takedowns around the place without providing any supporting evidence.

 

[learning_curve]

Plesk's upgrade #54 for Onyx 17.8.11 includes the update of Roundcube Webmail to release 1.3.8. To answer a question that we raised earlier in this thread; After re-testing post upgrade etc we see that the error that we mentioned has now gone

The 'was is / wasn't it' question, relating to '...was the previous Roundcube Webmail version 1.3.6 the actual cause of that error...' is now irrelevant anyway. We won't be wasting time trying to find the definite answer The ONLY related Plesk item that still remains, is THIS ONE When you think of all the recent PHP upgrades by Plesk, we thought that PPPM-10187 would have been fixed at the same time as the 1.3.6 > 1.3.8 upgrade. We're now assuming that it will follow shortly instead

 

[trialotto]

@learning_curve

I suppose that your statement

The ONLY related Plesk item that still remains, is THIS ONE When you think of all the recent PHP upgrades by Plesk, we thought that PPPM-10187 would have been fixed at the same time as the 1.3.6 > 1.3.8 upgrade. We're now assuming that it will follow shortly instead

has to be augmented with the security issue that Roundcube can still be reached via non-SSL (i.e. http) connections, even if a certificate is installed for webmail.domain.tld.

I am not sure to which extent and/or in which scenario's the before mentioned issue occurs, but it is still present - for many years now.

Another thing to fix : consistent and/or automatic redirect (to https) for Roundcube webmail.

Regards.........

 

[learning_curve]

....the [B]security issue [/B][I]that Roundcube can still be reached via non-SSL (i.e. http) connections, even if a certificate is installed for webmail.domain.tld[/I]

We [I]thought[/I] that we'd covered the setup / security side of Roundcube via Plesk quite well @trialotto including good use of options that are available within [B]/etc/apache2/plesk.conf.d/roundcube.htaccess.inc[/B] but after reading your post, hmmmm

No matter how we try / which route we take, we can't access the page: [URL]http://webmail.mydomain.com[/URL] other than via established testing methods e.g. [URL='https://securityheaders.com']Secuity Headers[/URL] etc so therefore, can't attempt to login or access Roundcube via http.

By configuration, we can only access [URL]https://webmail.mydomain.com[/URL] and login to Roundube this way i.e. via https.

Or so we thought.... What have we obviously missed & where?

 

[learning_curve]

Having re-tested everything again (!) and having added a few other tests just in case... ( after reading the post from @trialotto ) there is ONE more thing

It's NOT a security issue It IS purely a Roundcube issue, NOT a Plesk issue, but among other things, it's indirectly related to this file: /usr/share/psa-roundcube/program/js/jquery.min.js which is, as you correctly pointed out in your post above @IgorG > -rw-r--r-- root root < Well it is in our setup anyway

This is the relevant bit from the "warning" that's given:

"Detected version of jQuery 3.2.1 appears to be out of date. The latest version is 3.4.1. No known security vulnerabilities found"

jQuery was updated to 3.2.1 by Roundcube from their own 1.3.0 release onward. It's not been updated in the latest 1.3.9 release, but it is updated in the beta 1.4-rc1 release onward. Adding this, just in case anybody reading this thread begins to question their own Roundcube Webmail via Plesk security