[Dovecot-news] CVE-2020-28200: Sieve excessive resource usage
timo at sirainen.com
Mon Jun 21 14:51:06 EEST 2021
Open-Xchange Security Advisory 2021-06-21
Vendor: OX Software GmbH
Internal reference: DOV-4159 (Bug ID)
Vulnerability type: CWE-400
Vulnerable version: 1.2.0-2.3.14
Vulnerable component: lmtp, lda
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.15
Vendor notification: 2020-09-23
Solution date: 2020-12-07
Public disclosure: 2021-06-21
CVE reference: CVE-2020-28200
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Researcher credit: Innokentii Sennovskii from BI.ZONE
Sieve interpreter is not protected against abusive scripts that claim excessive resource usage. Especially scripts using massive amounts of regexps.
Attacker can DoS the mail delivery system by using excessive amount of CPU and/or reaching the lmtp/lda process limits.
Disabling the regex sieve extension avoids the worst problems. lmtp_user_concurrency_limit may also be helpful.
Operators should update to 2.3.15 or later version.
More information about the Dovecot-news