CVE-2021-33515: SMTP Submission service STARTTLS injection
lists at lazygranch.com
lists at lazygranch.com
Tue Jun 22 12:11:08 EEST 2021
On Mon, 21 Jun 2021 13:51:30 +0200
Timo Sirainen <timo at sirainen.com> wrote:
> Open-Xchange Security Advisory 2021-06-21
>
> Product: Dovecot
> Vendor: OX Software GmbH
> Internal reference: DOV-4583 (Bug ID)
> Vulnerability type: CWE-74: Failure to Sanitize Data into a Different
> Plane ('Injection') Vulnerable version: 2.3.0-2.3.14
> Vulnerable component: submission
> Report confidence: Confirmed
> Solution status: Fixed by Vendor
> Fixed version: 2.3.14.1
> Vendor notification: 2021-05-21
> Solution date: 2021-05-22
> Public disclosure: 2021-06-21
> CVE reference: CVE-2021-33515
> CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
> Researcher credit: Fabian Ising and Damian Poddebniak of Münster
> University of Applied Sciences
>
> Vulnerability Details:
>
> On-path attacker could inject plaintext commands before STARTTLS
> negotiation that would be executed after STARTTLS finished with the
> client. Only the SMTP submission service is affected.
>
> Risk:
>
> Attacker can potentially steal user credentials and mails. The
> attacker needs to have sending permissions on the submission server
> (a valid username and password).
>
> Workaround:
>
> None.
>
> Solution:
>
> Operators should update to 2.3.14.1 or later version.
>
Centos 7 has no repo with 2.3.15. I am using 2.2.36 (1f10bfa63). Is
this OK?
This is my personal server, hence all the accounts are mine, so it
isn't like I am going to hack myself.
More information about the dovecot
mailing list