Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1371066295.286.1723706024128@asd-stable-core-mw-groupware-0.asd-stable-core-mw-hazelcast-headless.asd-stable.svc.cluster.local>
Date: Thu, 15 Aug 2024 10:13:44 +0300 (EEST)
From: Aki Tuomi <aki.tuomi@...ecot.fi>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Dovecot CVE-2024-23184: Having a large number of address headers
 (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive

Affected product: Dovecot IMAP Server
Internal reference: DOV-6464
Vulnerability type: CWE-770 (Allocation of Resources Without Limits or Throttling)
Vulnerable version: 2.2, 2.3
Vulnerable component: lib-mail
Report confidence: Confirmed
Solution status: Fixed in 2.3.21.1
Researcher credits: Vendor internal discovery
Vendor notification: 2024-01-30
CVE reference: CVE-2024-23184
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N)

Vulnerability Details:
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue.

The main problem is that each header line's address is added to the end of a linked list. This is done by walking the whole linked list, which becomes more inefficient the more addresses there are.

Workaround:
One can implement restrictions on address headers on MTA component preceding Dovecot.

Fix:
Install non-vulnerable version of Dovecot. Patch can be found at https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch

Download attachment "signature.asc" of type "application/pgp-signature" (486 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.