we’re sharing our latest advisory with you and would like to thank
everyone who contributed in finding and solving those vulnerabilities.
Feel free to join our bug bounty programs (open-xchange, dovecot,
powerdns) at HackerOne.
You can find binary packages at https://repo.dovecot.org/
Open-Xchange Security Advisory 2019-04-18
Vendor: OX Software GmbH
Internal reference: DOV-3173 (Bug ID)
Vulnerability type: CWE-176
Vulnerable version: 2.3.0 - 126.96.36.199
Vulnerable component: json encoder
Report confidence: Confirmed
Researcher credits: cPanel L.L.C.
Solution status: Fixed by Vendor
Fixed version: 188.8.131.52
Vendor notification: 2019-04-02
Solution date: 2019-04-11
Public disclosure: 2019-04-18
CVE reference: CVE-2019-10691
CVSS: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two ways.
Attacker can repeatedly crash Dovecot authentication process by logging
in using invalid UTF-8 sequence in username. This requires that auth
policy is enabled.
Crash can also occur if OX push notification driver is enabled and an
email is delivered with invalid UTF-8 sequence in From or Subject header.
In 2.2, malformed UTF-8 sequences are forwarded “as-is”, and thus do not
cause problems in Dovecot itself. Target systems should be checked for
possible problems in dealing with such sequences.
See https://wiki.dovecot.org/Authentication/Policy for details on auth
Determined attacker can prevent authentication process from staying up
by keeping on attempting to log in with username containing invalid
Steps to reproduce:
Configure dovecot with auth_policy_server_url and auth_policy_hash_nonce
Attempt to log in with username containing an invalid UTF-8 sequence
Observe assert-crash in dovecot logs.
Operators should update to the latest Patch Release or disable auth