[Dovecot-news] CVE-2020-28200: Sieve excessive resource usage

Timo Sirainen timo at sirainen.com
Mon Jun 21 14:51:06 EEST 2021


Open-Xchange Security Advisory 2021-06-21

Product: Dovecot
Vendor: OX Software GmbH
Internal reference: DOV-4159 (Bug ID)
Vulnerability type: CWE-400
Vulnerable version: 1.2.0-2.3.14
Vulnerable component: lmtp, lda
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.15
Vendor notification: 2020-09-23
Solution date: 2020-12-07
Public disclosure: 2021-06-21
CVE reference: CVE-2020-28200
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Researcher credit: Innokentii Sennovskii from BI.ZONE
Vulnerability Details:

Sieve interpreter is not protected against abusive scripts that claim excessive resource usage. Especially scripts using massive amounts of regexps.

Risk:

Attacker can DoS the mail delivery system by using excessive amount of CPU and/or reaching the lmtp/lda process limits.

Workaround:

Disabling the regex sieve extension avoids the worst problems. lmtp_user_concurrency_limit may also be helpful.

Solution:

Operators should update to 2.3.15 or later version.


More information about the Dovecot-news mailing list