Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87768504-5291-4627-6638-8b3073c31501@dovecot.fi>
Date: Thu, 18 Apr 2019 12:05:51 +0300
From: Aki Tuomi <aki.tuomi@...ecot.fi>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes
 when encountering invalid UTF-8 characters.

Dear subscribers,

we're sharing our latest advisory with you and would like to thank
everyone who contributed in finding and solving those vulnerabilities.
Feel free to join our bug bounty programs (open-xchange, dovecot,
powerdns) at HackerOne. Please find patch for v2.3.5 attached,
or download new version.

Yours sincerely,
Aki Tuomi
Open-Xchange Oy

Open-Xchange Security Advisory 2019-04-18
Product: Dovecot
Vendor: OX Software GmbH

Internal reference: DOV-3173 (Bug ID)
Vulnerability type: CWE-176
Vulnerable version: 2.3.0 - 2.3.5.1
Vulnerable component: json encoder
Report confidence: Confirmed
Researcher credits: cPanel L.L.C.
Solution status: Fixed by Vendor
Fixed version: 2.3.5.2
Vendor notification: 2019-04-02
Solution date: 2019-04-11
Public disclosure: 2019-04-18
CVE reference: CVE-2019-10691
CVSS: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
 
Vulnerability Details:
JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two ways.
Attacker can repeatedly crash Dovecot authentication process by logging
in using invalid UTF-8 sequence in username. This requires that auth
policy is enabled.
Crash can also occur if OX push notification driver is enabled and an
email is delivered with invalid UTF-8 sequence in From or Subject header.
In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not
cause problems in Dovecot itself. Target systems should be checked for
possible problems in dealing with such sequences.
See https://wiki.dovecot.org/Authentication/Policy for details on auth
policy support.

Risk:
Determined attacker can prevent authentication process from staying up
by keeping on attempting to log in with username containing invalid
UTF-8 sequence.
Steps to reproduce:
Configure dovecot with auth_policy_server_url and auth_policy_hash_nonce
set.
Attempt to log in with username containing an invalid UTF-8 sequence
Observe assert-crash in dovecot logs.

Solution:
Operators should update to the latest Patch Release or disable auth
policy support.


View attachment "0001-lib-json-Escape-invalid-UTF-8-as-unicode-bytes.patch" of type "text/x-patch" (2509 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.