CVE-2020-24386: IMAP hibernation allows accessing other peoples mail
Timo Sirainen
timo at sirainen.com
Tue Jan 5 10:22:03 EET 2021
On 4. Jan 2021, at 14.29, Marc Roos <M.Roos at f1-outsourcing.eu> wrote:
>
>
> This also applies when you have users seperated at os level?
Yes, that doesn't make a difference. Only whether hibernation is enabled.
> -----Original Message-----
> Sent: 04 January 2021 13:03
> To: dovecot-news at dovecot.org; dovecot at dovecot.org
> Subject: CVE-2020-24386: IMAP hibernation allows accessing other peoples
> mail
>
> Open-Xchange Security Advisory 2021-01-04
>
> Product: Dovecot
> Vendor: OX Software GmbH
> Internal reference: DOP-2009 (Bug ID)
> Vulnerability type: CWE-150: Improper Neutralization of Escape, Meta, or
> Control Sequences Vulnerable version: 2.2.26-2.3.11.3 Vulnerable
> component: imap Report confidence: Confirmed Solution status: Fixed by
> Vendor Fixed version: 2.3.13 Vendor notification: 2020-08-17 Solution
> date: 2020-08-27 Public disclosure: 2021-01-04 CVE reference:
> CVE-2020-24386
> CVSS: 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)
>
> Vulnerability Details:
>
> When imap hibernation is active, an attacker can cause Dovecot to
> discover file system directory structure and access other users' emails
> using specially crafted command. The attacker must have valid
> credentials to access the mail server.
>
> Risk:
>
> Attacker can access other users' emails and filesystem information.
>
> Workaround:
>
> Operators can choose to disable IMAP hibernation. IMAP hibernation is
> not on by default. To ensure imap hibernation is disabled, make sure
> imap_hibernate_timeout is set to 0 or unset.
>
> Solution:
>
> Operators should update to 2.3.13 or later version.
>
>
More information about the dovecot
mailing list