[Dovecot-news] CVE-2021-33515: SMTP Submission service STARTTLS injection
timo at sirainen.com
Mon Jun 21 14:51:30 EEST 2021
Open-Xchange Security Advisory 2021-06-21
Vendor: OX Software GmbH
Internal reference: DOV-4583 (Bug ID)
Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection')
Vulnerable version: 2.3.0-2.3.14
Vulnerable component: submission
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 184.108.40.206
Vendor notification: 2021-05-21
Solution date: 2021-05-22
Public disclosure: 2021-06-21
CVE reference: CVE-2021-33515
CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
Researcher credit: Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences
On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.
Attacker can potentially steal user credentials and mails. The attacker needs to have sending permissions on the submission server (a valid username and password).
Operators should update to 220.127.116.11 or later version.
More information about the Dovecot-news