[Dovecot-news] CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.
aki.tuomi at open-xchange.com
Thu Apr 18 12:06:06 EEST 2019
we're sharing our latest advisory with you and would like to thank
everyone who contributed in finding and solving those vulnerabilities.
Feel free to join our bug bounty programs (open-xchange, dovecot,
powerdns) at HackerOne.
You can find binary packages at https://repo.dovecot.org/
Open-Xchange Security Advisory 2019-04-18
Vendor: OX Software GmbH
Internal reference: DOV-3173 (Bug ID)
Vulnerability type: CWE-176
Vulnerable version: 2.3.0 - 126.96.36.199
Vulnerable component: json encoder
Report confidence: Confirmed
Researcher credits: cPanel L.L.C.
Solution status: Fixed by Vendor
Fixed version: 188.8.131.52
Vendor notification: 2019-04-02
Solution date: 2019-04-11
Public disclosure: 2019-04-18
CVE reference: CVE-2019-10691
CVSS: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two ways.
Attacker can repeatedly crash Dovecot authentication process by logging
in using invalid UTF-8 sequence in username. This requires that auth
policy is enabled.
Crash can also occur if OX push notification driver is enabled and an
email is delivered with invalid UTF-8 sequence in From or Subject header.
In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not
cause problems in Dovecot itself. Target systems should be checked for
possible problems in dealing with such sequences.
See https://wiki.dovecot.org/Authentication/Policy for details on auth
Determined attacker can prevent authentication process from staying up
by keeping on attempting to log in with username containing invalid
Steps to reproduce:
Configure dovecot with auth_policy_server_url and auth_policy_hash_nonce
Attempt to log in with username containing an invalid UTF-8 sequence
Observe assert-crash in dovecot logs.
Operators should update to the latest Patch Release or disable auth
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Dovecot-news