Security
Headlines
HeadlinesLatestCVEs

Headline

Dovecot IMAP Server 2.2 / 2.3 Missing Rate Limiting

Dovecot IMAP server versions 2.2 and 2.3 have an issue where a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue.

Packet Storm
#vulnerability#git
Affected product: Dovecot IMAP ServerInternal reference: DOV-6464Vulnerability type: CWE-770 (Allocation of Resources Without Limits or Throttling)Vulnerable version: 2.2, 2.3Vulnerable component: lib-mailReport confidence: ConfirmedSolution status: Fixed in 2.3.21.1Researcher credits: Vendor internal discoveryVendor notification: 2024-01-30CVE reference: CVE-2024-23184CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N)Vulnerability Details:Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue.The main problem is that each header line's address is added to the end of a linked list. This is done by walking the whole linked list, which becomes more inefficient the more addresses there are.Workaround:One can implement restrictions on address headers on MTA component preceding Dovecot.Fix:Install non-vulnerable version of Dovecot. Patch can be found at https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch

Related news

Ubuntu Security Notice USN-7013-1

Ubuntu Security Notice 7013-1 - It was discovered that Dovecot incorrectly handled a large number of address headers. A remote attacker could possibly use this issue to cause Dovecot to consume resources, leading to a denial of service. It was discovered that Dovecot incorrectly handled very large headers. A remote attacker could possibly use this issue to cause Dovecot to consume resources, leading to a denial of service.

Red Hat Security Advisory 2024-6529-03

Red Hat Security Advisory 2024-6529-03 - An update for dovecot is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service and resource exhaustion vulnerabilities.

Ubuntu Security Notice USN-6982-1

Ubuntu Security Notice 6982-1 - It was discovered that Dovecot did not not properly have restrictions on the size of address headers. A remote attacker could possibly use this issue to cause denial of service.

Debian Security Advisory 5752-1

Debian Linux Security Advisory 5752-1 - Two vulnerabilities have been discovered in the IMAP implementation of large headers can result in high CPU usage, leading to denial of service.

Packet Storm: Latest News

Scapy Packet Manipulation Tool 2.6.1