Date: Thu, 18 Apr 2019 12:05:51 +0300 From: Aki Tuomi <aki.tuomi@...ecot.fi> To: oss-security@...ts.openwall.com Subject: CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters. Dear subscribers, we're sharing our latest advisory with you and would like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne. Please find patch for v2.3.5 attached, or download new version. Yours sincerely, Aki Tuomi Open-Xchange Oy Open-Xchange Security Advisory 2019-04-18 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3173 (Bug ID) Vulnerability type: CWE-176 Vulnerable version: 2.3.0 - 18.104.22.168 Vulnerable component: json encoder Report confidence: Confirmed Researcher credits: cPanel L.L.C. Solution status: Fixed by Vendor Fixed version: 22.214.171.124 Vendor notification: 2019-04-02 Solution date: 2019-04-11 Public disclosure: 2019-04-18 CVE reference: CVE-2019-10691 CVSS: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. This requires that auth policy is enabled. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header. In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not cause problems in Dovecot itself. Target systems should be checked for possible problems in dealing with such sequences. See https://wiki.dovecot.org/Authentication/Policy for details on auth policy support. Risk: Determined attacker can prevent authentication process from staying up by keeping on attempting to log in with username containing invalid UTF-8 sequence. Steps to reproduce: Configure dovecot with auth_policy_server_url and auth_policy_hash_nonce set. Attempt to log in with username containing an invalid UTF-8 sequence Observe assert-crash in dovecot logs. Solution: Operators should update to the latest Patch Release or disable auth policy support. View attachment "0001-lib-json-Escape-invalid-UTF-8-as-unicode-bytes.patch" of type "text/x-patch" (2509 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.