Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 18 Apr 2019 12:05:51 +0300
From: Aki Tuomi <aki.tuomi@...ecot.fi>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes
 when encountering invalid UTF-8 characters.

Dear subscribers,

we're sharing our latest advisory with you and would like to thank
everyone who contributed in finding and solving those vulnerabilities.
Feel free to join our bug bounty programs (open-xchange, dovecot,
powerdns) at HackerOne. Please find patch for v2.3.5 attached,
or download new version.

Yours sincerely,
Aki Tuomi
Open-Xchange Oy

Open-Xchange Security Advisory 2019-04-18
Product: Dovecot
Vendor: OX Software GmbH

Internal reference: DOV-3173 (Bug ID)
Vulnerability type: CWE-176
Vulnerable version: 2.3.0 - 2.3.5.1
Vulnerable component: json encoder
Report confidence: Confirmed
Researcher credits: cPanel L.L.C.
Solution status: Fixed by Vendor
Fixed version: 2.3.5.2
Vendor notification: 2019-04-02
Solution date: 2019-04-11
Public disclosure: 2019-04-18
CVE reference: CVE-2019-10691
CVSS: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
 
Vulnerability Details:
JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two ways.
Attacker can repeatedly crash Dovecot authentication process by logging
in using invalid UTF-8 sequence in username. This requires that auth
policy is enabled.
Crash can also occur if OX push notification driver is enabled and an
email is delivered with invalid UTF-8 sequence in From or Subject header.
In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not
cause problems in Dovecot itself. Target systems should be checked for
possible problems in dealing with such sequences.
See https://wiki.dovecot.org/Authentication/Policy for details on auth
policy support.

Risk:
Determined attacker can prevent authentication process from staying up
by keeping on attempting to log in with username containing invalid
UTF-8 sequence.
Steps to reproduce:
Configure dovecot with auth_policy_server_url and auth_policy_hash_nonce
set.
Attempt to log in with username containing an invalid UTF-8 sequence
Observe assert-crash in dovecot logs.

Solution:
Operators should update to the latest Patch Release or disable auth
policy support.


View attachment "0001-lib-json-Escape-invalid-UTF-8-as-unicode-bytes.patch" of type "text/x-patch" (2509 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.