CVE-2021-33515: SMTP Submission service STARTTLS injection

[Götz Reinicke]

> Am 22.06.2021 um 11:11 schrieb lists at lazygranch.com:
> 
> 
> 
> On Mon, 21 Jun 2021 13:51:30 +0200
> Timo Sirainen <timo at sirainen.com> wrote:
> 
>> Open-Xchange Security Advisory 2021-06-21
>> 
>> Product: Dovecot
>> Vendor: OX Software GmbH
>> Internal reference: DOV-4583 (Bug ID)
>> Vulnerability type: CWE-74: Failure to Sanitize Data into a Different
>> Plane ('Injection') Vulnerable version: 2.3.0-2.3.14
>> Vulnerable component: submission
>> Report confidence: Confirmed
>> Solution status: Fixed by Vendor
>> Fixed version: 2.3.14.1
>> Vendor notification: 2021-05-21
>> Solution date: 2021-05-22
>> Public disclosure: 2021-06-21
>> CVE reference: CVE-2021-33515
>> CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
>> Researcher credit: Fabian Ising and Damian Poddebniak of Münster
>> University of Applied Sciences
>> 
>> Vulnerability Details:
>> 
>> On-path attacker could inject plaintext commands before STARTTLS
>> negotiation that would be executed after STARTTLS finished with the
>> client. Only the SMTP submission service is affected.
>> 
>> Risk:
>> 
>> Attacker can potentially steal user credentials and mails. The
>> attacker needs to have sending permissions on the submission server
>> (a valid username and password).
>> 
>> Workaround:
>> 
>> None.
>> 
>> Solution:
>> 
>> Operators should update to 2.3.14.1 or later version.
>> 
> 
> Centos 7 has no repo with 2.3.15. I am using 2.2.36 (1f10bfa63). Is
> this OK?
> 

check https://repo.dovecot.org

/Götz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210622/19a11b73/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5252 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210622/19a11b73/attachment.p7s>