lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 4 Jan 2021 14:03:19 +0200
From: Aki Tuomi <aki.tuomi@...ecot.fi>
To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org
Subject: [FD] CVE-2020-24386: IMAP hibernation allows accessing other
	peoples mail

Open-Xchange Security Advisory 2021-01-04

Product: Dovecot
Vendor: OX Software GmbH
Internal reference: DOV-4113 (Bug ID)
Vulnerability type: CWE-20: Improper Input Validation
Vulnerable version: 2.3.11-2.3.11.3
Vulnerable component: lda, lmtp, imap
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.13
Vendor notification: 2020-09-10
Solution date: 2020-09-14
Public disclosure: 2021-01-04
CVE reference: CVE-2020-25275
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Researcher credit: Innokentii Sennovskiy (Rumata888) from BI.ZONE

Vulnerability Details:

Mail delivery / parsing crashed when the 10 000th MIME part was
message/rfc822 (or if parent was multipart/digest). This happened
due to earlier MIME parsing changes for CVE-2020-12100.

Risk:

Malicious sender can crash dovecot repeatedly by sending / uploading
message with more than 10 000 MIME parts.

Workaround:

These are usually dropped by MTA, where the mitigation can also be applied.

Solution:

Operators should update to 2.3.13 or later version.


Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists