Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 11 Apr 2017 10:57:03 +0300
From: Aki Tuomi <aki.tuomi@...ecot.fi>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-2669: Dovecot DoS when passdb dict was used for
 authentication

CVSS: 6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H)
Vulnerable versions: 2.2.26 - 2.2.28
Fixed version(s): 2.2.29

Broken by a3783f8a3c9cd816b51e77a922f82301512fcf22
Fixed by 000030feb7a30f193197f1aab8a7b04a26b42735

Dovecot supports "dict" passdb and
userdb: https://wiki2.dovecot.org/AuthDatabase/Dict
When these were used for user authentication, the username sent by the
IMAP/POP3 client was sent through var_expand() to perform %variable
expansion. Sending specially crafted %variable fields could result in
excessive memory usage causing the process to crash (and restart), or
excessive CPU usage causing all authentications to hang.

Excessive memory usage could be done with e.g. %09999999999u as the
username. Because by default Dovecot limits the auth process's VSZ and
exits on any memory allocation failure, the auth process typically dies
afterwards and is immediately restarted. This may result in some user
authentications getting temporary internal failures.

Excessive CPU usage could be done with %{pkcs5;rounds=100000000:user}
variable introduced in v2.2.27.

Please use this
https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch
to fix this issue, it should be applicable to older versions too.
Please let us know if you need assistance in patching.

---
Aki Tuomi
Dovecot oy




Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.