From: Aki Tuomi via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 14 Aug 2024 14:13:42 +0300 (EEST)
Affected product: Dovecot IMAP Server
Internal reference: DOV-6464
Vulnerability type: CWE-770 (Allocation of Resources Without Limits or Throttling)
Vulnerable version: 2.2, 2.3
Vulnerable component: lib-mail
Report confidence: Confirmed
Solution status: Fixed in 2.3.21.1
Researcher credits: Vendor internal discovery
Vendor notification: 2024-01-30
CVE reference: CVE-2024-23184
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N)
Vulnerability Details:
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header
lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes
to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue.
The main problem is that each header line's address is added to the end of a linked list. This is done by walking the
whole linked list, which becomes more inefficient the more addresses there are.
Workaround:
One can implement restrictions on address headers on MTA component preceding Dovecot.
Fix:
Install non-vulnerable version of Dovecot. Patch can be found at
https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- CVE-2024-23184: Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive Aki Tuomi via Fulldisclosure (Aug 17)