Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 26 Apr 2015 20:31:14 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: CVE request: Dovecot remote DoS on TLS connections

Hi,

The current Dovecot (2.2.16) imap/pop3 server has an issue that
handshake failures will lead to a crash of the login process.

An example where this is triggered is if the server is configured to
not allow SSLv3 connections and a client tries to connect with SSLv3
only.

The reason is that the error handling routine will try to finish the
handshake and that will crash. Details here:
http://dovecot.org/pipermail/dovecot/2015-April/100618.html

I had created a patch, one of the dovecot devs created a more thorough
patch that will probably catch more error states properly:
http://dovecot.org/tmp/diff
(url likely not stable)
Nothing is applied yet I think.

I think this deserves a CVE.


There is a related issue in openssl: It will crash instead of throwing
an error if one tries to use a connection context that already failed.
One could argue that this is not an openssl issue, because apps need to
properly check errors. Matt Caswell has created a patch to let openssl
handle these situations more gracefully:
https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ