CVE-2021-33515: SMTP Submission service STARTTLS injection
Open-Xchange Security Advisory 2021-06-21
Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4583 (Bug ID) Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection') Vulnerable version: 2.3.0-2.3.14 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification: 2021-05-21 Solution date: 2021-05-22 Public disclosure: 2021-06-21 CVE reference: CVE-2021-33515 CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) Researcher credit: Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences
Vulnerability Details:
On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.
Risk:
Attacker can potentially steal user credentials and mails. The attacker needs to have sending permissions on the submission server (a valid username and password).
Workaround:
None.
Solution:
Operators should update to 2.3.14.1 or later version.
On Mon, 21 Jun 2021 13:51:30 +0200 Timo Sirainen timo@sirainen.com wrote:
Open-Xchange Security Advisory 2021-06-21
Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4583 (Bug ID) Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection') Vulnerable version: 2.3.0-2.3.14 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification: 2021-05-21 Solution date: 2021-05-22 Public disclosure: 2021-06-21 CVE reference: CVE-2021-33515 CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) Researcher credit: Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences
Vulnerability Details:
On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.
Risk:
Attacker can potentially steal user credentials and mails. The attacker needs to have sending permissions on the submission server (a valid username and password).
Workaround:
None.
Solution:
Operators should update to 2.3.14.1 or later version.
Centos 7 has no repo with 2.3.15. I am using 2.2.36 (1f10bfa63). Is this OK?
This is my personal server, hence all the accounts are mine, so it isn't like I am going to hack myself.
Am 22.06.2021 um 11:11 schrieb lists@lazygranch.com:
On Mon, 21 Jun 2021 13:51:30 +0200 Timo Sirainen timo@sirainen.com wrote:
Open-Xchange Security Advisory 2021-06-21
Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4583 (Bug ID) Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection') Vulnerable version: 2.3.0-2.3.14 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification: 2021-05-21 Solution date: 2021-05-22 Public disclosure: 2021-06-21 CVE reference: CVE-2021-33515 CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) Researcher credit: Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences
Vulnerability Details:
On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.
Risk:
Attacker can potentially steal user credentials and mails. The attacker needs to have sending permissions on the submission server (a valid username and password).
Workaround:
None.
Solution:
Operators should update to 2.3.14.1 or later version.
Centos 7 has no repo with 2.3.15. I am using 2.2.36 (1f10bfa63). Is this OK?
check https://repo.dovecot.org
/Götz
On 22. Jun 2021, at 11.11, lists@lazygranch.com wrote:
Vulnerability Details:
On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.
Centos 7 has no repo with 2.3.15. I am using 2.2.36 (1f10bfa63). Is this OK?
This is my personal server, hence all the accounts are mine, so it isn't like I am going to hack myself.
Only the submission service is vulnerable, and v2.2.36 doesn't have the submission service at all. So it's not vulnerable to this.
And for the Sieve excessive resource usage it's not really a problem especially with personals servers.
participants (3)
-
Götz Reinicke
-
lists@lazygranch.com
-
Timo Sirainen