forums.meulie.net

[Dovecot-news] CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters

#1

Dear subscribers,

we’re sharing our latest advisory with you and would like to thank
everyone who contributed in finding and solving those vulnerabilities.
Feel free to join our bug bounty programs (open-xchange, dovecot,
powerdns) at HackerOne.

You can find binary packages at https://repo.dovecot.org/

Yours sincerely,
Aki Tuomi
Open-Xchange Oy

Open-Xchange Security Advisory 2019-04-18
Product: Dovecot
Vendor: OX Software GmbH

Internal reference: DOV-3173 (Bug ID)
Vulnerability type: CWE-176
Vulnerable version: 2.3.0 - 2.3.5.1
Vulnerable component: json encoder
Report confidence: Confirmed
Researcher credits: cPanel L.L.C.
Solution status: Fixed by Vendor
Fixed version: 2.3.5.2
Vendor notification: 2019-04-02
Solution date: 2019-04-11
Public disclosure: 2019-04-18
CVE reference: CVE-2019-10691
CVSS: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details:
JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two ways.
Attacker can repeatedly crash Dovecot authentication process by logging
in using invalid UTF-8 sequence in username. This requires that auth
policy is enabled.
Crash can also occur if OX push notification driver is enabled and an
email is delivered with invalid UTF-8 sequence in From or Subject header.
In 2.2, malformed UTF-8 sequences are forwarded “as-is”, and thus do not
cause problems in Dovecot itself. Target systems should be checked for
possible problems in dealing with such sequences.
See https://wiki.dovecot.org/Authentication/Policy for details on auth
policy support.

Risk:
Determined attacker can prevent authentication process from staying up
by keeping on attempting to log in with username containing invalid
UTF-8 sequence.
Steps to reproduce:
Configure dovecot with auth_policy_server_url and auth_policy_hash_nonce
set.
Attempt to log in with username containing an invalid UTF-8 sequence
Observe assert-crash in dovecot logs.

Solution:
Operators should update to the latest Patch Release or disable auth
policy support.


Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news