[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Multiple vulnerabilities in Dovecot 2.3
From:       Aki Tuomi via Fulldisclosure <fulldisclosure () seclists ! org>
Date:       2019-04-30 13:35:05
Message-ID: 1076442947.215.1556631305811 () appsuite-dev-guard ! open-xchange ! com
[Download RAW message or body]

[Attachment #2 (multipart/signed)]



Dear subscribers, we have been made aware of two critical vulnerabilities in Dovecot 2.3. \
Please find patches attached for 2.3.5.2.

---
Aki Tuomi
Open-Xchange oy

------

Open-Xchange Security Advisory 2019-04-30

Product: Dovecot
Vendor: OX Software GmbH

Internal reference: DOV-3212 (Bug ID)
Vulnerability type: CWE-476
Vulnerable version: 2.3.0 - 2.3.5.2
Vulnerable component: submission-login
Report confidence: Confirmed
Researcher credits: Marcelo Coelho
Solution status: Fixed by Vendor
Fixed version: 2.3.6
Vendor notificatio: 2019-03-11
Solution date: 2019-04-23
Public disclosure: 2019-04-30Q
CVE reference: CVE-2019-11494
CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details:
Submission-login crashes with signal 11 due to null pointer access when authentication is \
aborted by disconnecting. This can lead to denial-of-service attack by persistent attacker(s).

Workaround:
There is no available workaround for this issue.

Solution:
Operators should upgrade to a fixed version.

----

Open-Xchange Security Advisory 2019-04-30
Product: Dovecot
Vendor: OX Software GmbH

Internal reference: DOV-3223 (Bug ID)
Vulnerability type: CWE-617
Vulnerable version: 2.3.0 - 2.3.5.2
Vulnerable component: submission-login
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.6
Vendor notification: 2019-03-11
Solution date: 2019-04-23
Public disclosure: 2019-04-30
CVE reference: CVE-2019-11499
CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details:
Submission-login crashes when authentication is started over TLS secured channel and invalid \
authentication message is sent. This can lead to denial-of-service attack by persistent \
attacker(s).

Workaround:
Authentication crash can be avoided if authentication is done without TLS.

Solution:
Operators should upgrade to a fixed version.


["0001-submission-login-Remove-unused-client-pending_startt.patch" (text/x-patch)]

From 754f791dd26313de8d75b740bddd1a192f11bf3f Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@dovecot.fi>
Date: Tue, 23 Apr 2019 00:13:46 +0200
Subject: [PATCH 1/3] submission-login: Remove unused client->pending_starttls.

---
 src/submission-login/client.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/submission-login/client.h b/src/submission-login/client.h
index 1667e158e..e89228432 100644
--- a/src/submission-login/client.h
+++ b/src/submission-login/client.h
@@ -23,7 +23,7 @@ struct submission_client {
 	enum smtp_capability backend_capabilities;
 
 	struct smtp_server_connection *conn;
-	struct smtp_server_cmd_ctx *pending_auth, *pending_starttls;
+	struct smtp_server_cmd_ctx *pending_auth;
 
 	enum submission_proxy_state proxy_state;
 	enum smtp_capability proxy_capability;
-- 
2.11.0


["0002-submission-login-client-authenticate-Fix-crash-occur.patch" (text/x-patch)]

From f79745dae4a9a5fca33320e03a4fc9064b88d01e Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@dovecot.fi>
Date: Tue, 12 Mar 2019 03:18:33 +0100
Subject: [PATCH 2/3] submission-login: client-authenticate - Fix crash
 occurring when client disconnects during authentication.

---
 src/submission-login/client-authenticate.c | 3 +++
 src/submission-login/client.c              | 1 +
 2 files changed, 4 insertions(+)

diff --git a/src/submission-login/client-authenticate.c b/src/submission-login/client-authenticate.c
index 8b5422f83..6b70701a1 100644
--- a/src/submission-login/client-authenticate.c
+++ b/src/submission-login/client-authenticate.c
@@ -98,6 +98,9 @@ void submission_client_auth_result(struct client *client,
 		container_of(client, struct submission_client, common);
 	struct smtp_server_cmd_ctx *cmd = subm_client->pending_auth;
 
+	if (subm_client->conn == NULL)
+		return;
+
 	subm_client->pending_auth = NULL;
 	i_assert(cmd != NULL);
 
diff --git a/src/submission-login/client.c b/src/submission-login/client.c
index 3e45e556c..20b773b9e 100644
--- a/src/submission-login/client.c
+++ b/src/submission-login/client.c
@@ -212,6 +212,7 @@ static void client_connection_disconnect(void *context, const char *reason)
 {
 	struct submission_client *client = context;
 
+	client->pending_auth = NULL;
 	client_disconnect(&client->common, reason);
 }
 
-- 
2.11.0


["0003-lib-smtp-smtp-server-cmd-auth-Fix-AUTH-response-erro.patch" (text/x-patch)]

From e9d60648abb9bbceff89882a5309cb9532e702e9 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@dovecot.fi>
Date: Thu, 25 Apr 2019 09:51:32 +0200
Subject: [PATCH 3/3] lib-smtp: smtp-server-cmd-auth - Fix AUTH response error
 handling so that it stops reading more input.

Otherwise, it may try to read more data from the stream as the next AUTH
response, which causes an assert crash in the command parser later on. Even when
the parser finds no input from the stream, it will advance its state
towards AUTH response parsing, which is a problem when the next command is
subsequently being parsed.

Panic was:

Panic: file smtp-command-parser.c: line 438 (smtp_command_parse_next): assertion failed: \
(!parser->auth_response || parser->state.state == SMTP_COMMAND_PARSE_STATE_INIT || \
                parser->state.state == SMTP_COMMAND_PARSE_STATE_ERROR)
---
 src/lib-smtp/smtp-server-cmd-auth.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lib-smtp/smtp-server-cmd-auth.c b/src/lib-smtp/smtp-server-cmd-auth.c
index 24cb55ade..0d8062caa 100644
--- a/src/lib-smtp/smtp-server-cmd-auth.c
+++ b/src/lib-smtp/smtp-server-cmd-auth.c
@@ -99,6 +99,7 @@ static void cmd_auth_input(struct smtp_server_cmd_ctx *cmd)
 			smtp_server_connection_debug(conn,
 				"Client sent invalid AUTH response: %s", error);
 
+			smtp_server_command_input_lock(cmd);
 			switch (error_code) {
 			case SMTP_COMMAND_PARSE_ERROR_BROKEN_COMMAND:
 				conn->input_broken = TRUE;
-- 
2.11.0


[Attachment #8 (unknown)]

-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.61

iQEcBAABCgAGBQJcyE8JAAoJEBk7Y2OzREIGxigH/j7pYzs7daJ7O48zVZgQunAs
tfm6+AKhI8XMfSbtbdzF7k9aO6GdsxyonRJ/GBzBFnSLzUsyfTVBx0rFD2Og25yW
K5niUtYM9M5khzo+J+3bcIuddhpQFK6UoVtJARZ5SJyyIS9m7m2BBoZAq03Ekfvp
rX1WgWN03BuAztTYd+q0an1zMdgXMhJrqZDnqbRx/lRbUo3ajCVYCn7+zmjqoYMh
hp0p4ymjgSLJPrbXr89hY4iiyS44JQohkzmh80omv0J21M14h1a1WGD7nG9f1VwD
EJqakMuOHI7gcj6lYUU11f/6pByWlYY8pv1E6Nvt8a+X1WOPmhKUyzv1POJCZMU=
=Wj4S
-----END PGP SIGNATURE-----

------=_Part_214_1640106607.1556631305809--


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic