[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-33515: Dovecot SMTP Submission service STARTTLS injection.
From:       Aki Tuomi <aki.tuomi () open-xchange ! com>
Date:       2021-06-28 6:59:59
Message-ID: 921291111.13398.1624863599048 () appsuite-dev-gw2 ! open-xchange ! com
[Download RAW message or body]

Open-Xchange Security Advisory 2021-06-28

Affected product: Dovecot IMAP Server
Vendor: OX Software GmbH

Internal reference: DOP-2421
Vulnerability type: Cryptographic Issues (CWE-310)
Vulnerable version: 2.3
Vulnerable component: submission
Report confidence: Confirmed
Solution status: Fixed in 2.3.x
Researcher credits: Fabian Ising and Damian Poddebniak of M=C3=BCnster Univ=
ersity of Applied Sciences.
Vendor notification: 2021-05-21
CVE reference: CVE-2021-33515
CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)

Vulnerability Details:
Dovecot's lib-smtp is vulnerable to STARTTLS command injection. If more com=
mands are pipelined as plaintext after STARTTLS, those commands are run ins=
ide the TLS session.

Risk:
A MiTM attacker can inject preamble commands to be executed prior to user's=
 commands, these can be used to redirect the actual mail and other user com=
mands to attacker controlled address.
Proof of concept script exists.

Solution:
Upgrade to fixed version, or disable STARTTLS support.
[prev in list] [next in list] [prev in thread] [next in thread]