CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.
Dear subscribers,
we're sharing our latest advisory with you and would like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne.
You can find binary packages at https://repo.dovecot.org/
Yours sincerely, Aki Tuomi Open-Xchange Oy
Open-Xchange Security Advisory 2019-04-18 Product: Dovecot Vendor: OX Software GmbH
Internal reference: DOV-3173 (Bug ID) Vulnerability type: CWE-176 Vulnerable version: 2.3.0 - 2.3.5.1 Vulnerable component: json encoder Report confidence: Confirmed Researcher credits: cPanel L.L.C. Solution status: Fixed by Vendor Fixed version: 2.3.5.2 Vendor notification: 2019-04-02 Solution date: 2019-04-11 Public disclosure: 2019-04-18 CVE reference: CVE-2019-10691 CVSS: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. This requires that auth policy is enabled. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header. In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not cause problems in Dovecot itself. Target systems should be checked for possible problems in dealing with such sequences. See https://wiki.dovecot.org/Authentication/Policy for details on auth policy support.
Risk: Determined attacker can prevent authentication process from staying up by keeping on attempting to log in with username containing invalid UTF-8 sequence. Steps to reproduce: Configure dovecot with auth_policy_server_url and auth_policy_hash_nonce set. Attempt to log in with username containing an invalid UTF-8 sequence Observe assert-crash in dovecot logs.
Solution: Operators should update to the latest Patch Release or disable auth policy support.
participants (1)
-
Aki Tuomi