VuXML ID | Description |
74db0d02-b140-4c32-aac6-1f1e81e1ad30 | dovecot -- multiple vulnerabilities
Aki Tuomi reports:
lib-smtp doesn't handle truncated command parameters properly, resulting
in infinite loop taking 100% CPU for the process. This happens for LMTP
(where it doesn't matter so much) and also for submission-login where
unauthenticated users can trigger it.
Aki also reports:
Snippet generation crashes if:
message is large enough that message-parser returns multiple body
blocks
The first block(s) don't contain the full snippet (e.g. full of
whitespace)
input ends with '>'
Discovery 2020-01-14 Entry 2020-02-13 dovecot
< 2.3.9.3
https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html
https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html
CVE-2020-7046
CVE-2020-7967
|
7862213c-5152-11e9-8b26-a4badb296695 | dovecot -- Buffer overflow reading extension header
Aki Tuomi reports:
Vulnerability Details:
When reading FTS or POP3-UIDL header from dovecot index, the input
buffer size is not bound, and data is copied to target structure causing
stack overflow.
Risk:
This can be used for local root privilege escalation or executing
arbitrary code in dovecot process context. This requires ability to
directly modify dovecot indexes.
Steps to reproduce:
Produce dovecot.index.log entry that creates an FTS header which has
more than 12 bytes of data.
Trigger dovecot indexer-worker or run doveadm index.
Dovecot will crash.
Mitigations:
Since 2.3.0 dovecot has been compiled with stack smash protection, ASLR,
read-only GOT tables and other techniques that make exploiting this bug
much harder.
Discovery 2019-02-05 Entry 2019-03-28 dovecot
< 2.3.5.1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-7524
https://dovecot.org/list/dovecot-news/2019-March/000401.html
CVE-2019-7524
|
abaaecda-ea16-43e2-bad0-d34a9ac576b1 | Dovecot -- improper input validation
Aki Tuomi reports:
Vulnerability Details:
IMAP and ManageSieve protocol parsers do not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes.
Risk:
This vulnerability allows for out-of-bounds writes to objects stored on
the heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login
phase, allowing sufficiently skilled attacker to perform complicated
attacks that can lead to leaking private information or remote code
execution. Abuse of this bug is very difficult to observe, as it does
not necessarily cause a crash. Attempts to abuse this bug are not
directly evident from logs.
Discovery 2019-04-13 Entry 2019-08-28 dovecot
< 2.3.7.2
dovecot-pigeonhole
< 0.5.7.2
https://dovecot.org/pipermail/dovecot/2019-August/116874.html
CVE-2019-11500
|
bd98066d-4ea4-11eb-b412-e86a64caca56 | mail/dovecot -- multiple vulnerabilities
Aki Tuomi reports:
When imap hibernation is active, an attacker can cause Dovecot to
discover file system directory structure and access other users'
emails using specially crafted command.
The attacker must have valid credentials to access the
mail server.
Mail delivery / parsing crashed when the 10 000th MIME part was
message/rfc822 (or if parent was multipart/digest). This happened
due to earlier MIME parsing changes for CVE-2020-12100.
Discovery 2020-08-17 Entry 2021-01-04 dovecot
< 2.3.13
https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
CVE-2020-24386
CVE-2020-25275
|
37d106a8-15a4-483e-8247-fcb68b16eaf8 | Dovecot -- Multiple vulnerabilities
Aki Tuomi reports:
Vulnerability Details:
Sending malformed NOOP command causes crash in submission, submission-login or
lmtp service.
Risk:
Remote attacker can keep submission-login service down, causing denial of
service attack. For lmtp the risk is neglible, as lmtp is usually behind a
trusted MTA.
Steps to reproduce:
Send ``NOOP EE"FY`` to submission port, or similarly malformed command.
Vulnerability Details:
Sending command followed by sufficient number of newlines triggers a
use-after-free bug that might crash submission-login, submission or
lmtp service.
Risk:
Remote attacker can keep submission-login service down, causing denial
of service attack. For lmtp the risk is neglible, as lmtp is usually
behind a trusted MTA.
Steps to reproduce:
This can be currently reproduced with ASAN or Valgrind. Reliable way to
crash has not yet been discovered.
Vulnerability Details:
Sending mail with empty quoted localpart causes submission or lmtp component
to crash.
Risk:
Malicious actor can cause denial of service to mail delivery by repeatedly
sending mails with bad sender or recipient address.
Steps to reproduce:
Send mail with envelope sender or recipient as <""@example.org>.
Workaround:
For submission there is no workaround, but triggering the bug requires valid
credentials.
For lmtp, one can implement sufficient filtering on MTA level to prevent mails
with such addresses from ending up in LMTP delivery.
Discovery 2020-04-02 Entry 2020-05-18 dovecot
< 2.3.10.1
https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html
CVE-2020-10957
CVE-2020-10958
CVE-2020-10967
|
1340fcc1-2953-11e9-bc44-a4badb296695 | mail/dovecot -- Suitable client certificate can be used to login as other user
Aki Tuomi (Open-Xchange Oy) reports:
Normally Dovecot is configured to authenticate
imap/pop3/managesieve/submission clients using regular username/password
combination. Some installations have also required clients to present a
trusted SSL certificate on top of that. It's also possible to configure
Dovecot to take the username from the certificate instead of from the
user provided authentication. It's also possible to avoid having a
password at all, only trusting the SSL certificate.
If the provided trusted SSL certificate is missing the username field,
Dovecot should be failing the authentication. However, the earlier
versions will take the username from the user provided authentication
fields (e.g. LOGIN command). If there is no additional password
verification, this allows the attacker to login as anyone else in the
system.
This affects only installations using:
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
Attacker must also have access to a valid trusted certificate without
the ssl_cert_username_field in it. The default is commonName, which
almost certainly exists in all certificates. This could happen for
example if ssl_cert_username_field is a field that normally doesn't
exist, and attacker has access to a web server's certificate (and key),
which is signed with the same CA.
Attack can be migitated by having the certificates with proper Extended
Key Usage, such as 'TLS Web Server' and 'TLS Web Server Client'.
Also, ssl_cert_username_field setting was ignored with external SMTP
AUTH, because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. This does not
apply to Dovecot Submission service.
Discovery 2019-01-16 Entry 2019-02-05 dovecot
< 2.3.4.1
https://www.mail-archive.com/dovecot@dovecot.org/msg76117.html
CVE-2019-3814
|
3f98ccb3-6b8a-11e9-9b5c-a4badb296695 | Dovecot -- Multiple vulnerabilities
Aki Tuomi reports:
Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of-service attack by persistent attacker(s).
Aki Tuomi reports:
Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to denial-of-service attack by persistent attacker(s).
Discovery 2019-03-11 Entry 2019-04-30 dovecot
ge 2.3.0 lt 2.3.6
https://dovecot.org/list/dovecot-news/2019-April/000409.html
CVE-2019-11494
https://dovecot.org/list/dovecot-news/2019-April/000410.html
CVE-2019-11499
|
87a07de1-e55e-4d51-bb64-8d117829a26a | mail/dovecot -- multiple vulnerabilities
Aki Tuomi reports:
Parsing mails with a large number of MIME parts could
have resulted in excessive CPU usage or a crash due to running out of
stack memory..
Dovecot's NTLM implementation does not correctly check
message buffer size, which leads to reading past allocation which can
lead to crash
lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the lmtp
service to crash.
Dovecot's RPA mechanism implementation accepts
zero-length message, which leads to assert-crash later on.
Discovery 2020-04-23 Entry 2020-08-13 dovecot
< 2.3.11
https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html
CVE-2020-12100
CVE-2020-12673
CVE-2020-10967
CVE-2020-12674
|
a64aa22f-61ec-11e9-85b9-a4badb296695 | dovecot -- json encoder crash
Aki Tuomi reports:
* CVE-2019-10691: Trying to login with 8bit username containing
invalid UTF8 input causes auth process to crash if auth policy is
enabled. This could be used rather easily to cause a DoS. Similar
crash also happens during mail delivery when using invalid UTF8 in
From or Subject header when OX push notification driver is used.
Discovery 2019-04-09 Entry 2019-04-18 Modified 2019-05-26 dovecot
ge 2.3.0 lt 2.3.5.2
dovecot2
ge 2.3.0 lt 2.3.5.2
https://dovecot.org/pipermail/dovecot-news/2019-April/000407.html
CVE-2019-10691
|