Bug 736617 (CVE-2020-12100, CVE-2020-12673, CVE-2020-12674)

Comment 1 Thomas Deutschmann (RETIRED) 2020-08-12 13:42:11 UTC

Open-Xchange Security Advisory 2020-08-12 

Affected product: Dovecot IMAP server 
Internal reference: DOP-1849 (Bug ID) 
Vulnerability type: Uncontrolled recursion (CWE-674) 
Vulnerable version: 2.0 
Vulnerable component: submission, lmtp, lda 
Fixed version: 2.3.11.3 
Report confidence: Confirmed 
Solution status: Fix available 
Vendor notification: 2020-04-23 
CVE reference: CVE-2020-12100 
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 

Vulnerability Details: 
Receiving mail with deeply nested MIME parts leads to resource 
exhaustion as Dovecot attempts to 
parse it. 

Risk: 
Malicious actor can cause denial of service to mail delivery by 
repeatedly sending mails with bad 
content. 

Workaround: 
Limit MIME structures in MTA. 

Solution: 
Upgrade to fixed version. 


Affected product: Dovecot IMAP server 
Internal reference: DOP-1870 (Bug ID) 
Vulnerability type: CWE-789 (Uncontrolled Memory Allocation) 
Vulnerable version: 2.2 
Vulnerable component: auth 
Fixed version: 2.3.11.3 
Report confidence: Confirmed 
Solution status: Fix available 
Vendor notification: 2020-05-03 
CVE reference: CVE-2020-12673 
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 

Vulnerability Details: 
Dovecot's NTLM implementation does not correctly check message buffer 
size, which leads to reading past allocation which can lead to crash. 

Risk: 
An adversary can use this vulnerability to crash dovecot auth process 
repeatedly, preventing login. 

Steps to reproduce: 
(echo 'AUTH NTLM'; echo -ne 
'NTLMSSP\x00\x01\x00\x00\x00\x00\x02\x00\x00AAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAA' 
| \ 
base64 -w0 ;echo ;echo -ne 
'NTLMSSP\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00AA\x00\x00\x41\x00\
x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
x00\x00\x02\x00\x00orange\x00'|

\ 
base64 -w0;echo ; echo QUIT)  | nc 127.0.0.1 110 

Workaround: 
Disable NTLM authentication. 

Solution: 
Upgrade to fixed version. 


Affected product: Dovecot IMAP server 
Internal reference: DOP-1869 (Bug ID) 
Vulnerability type: CWE-126 (Buffer over-read) 
Vulnerable version: 2.2 
Vulnerable component: auth 
Fixed version: 2.3.11.3 
Report confidence: Confirmed 
Solution status: Fix available 
Vendor notification: 2020-05-03 
Researcher credit: Orange from DEVCORE team 
CVE reference: CVE-2020-12674 
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 

Vulnerability Details: 
Dovecot's RPA mechanism implementation accepts zero-length message, 
which leads to assert-crash later on 

Risk: 
An adversary can use this vulnerability to crash dovecot auth process 
repeatedly, preventing login. 

Steps to reproduce: 
(echo 'AUTH RPA'; echo -ne 
'\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x01\x00\x04\x00\x
00\x01' 
| base64 -w 0; echo ; echo -ne 
'\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x00\x03A@A\x00' |
base64 -w 0; echo ; echo QUIT) | nc 127.0.0.1 110 

Workaround: 
Disable RPA authentication. 

Solution: 
Upgrade to fixed version.

Comment 2 Larry the Git Cow 2020-08-14 09:17:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cffab4e4790734f6acdd76ca5d9112eb13ac019

commit 4cffab4e4790734f6acdd76ca5d9112eb13ac019
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-08-14 09:16:48 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-08-14 09:16:48 +0000

    net-mail/dovecot: security bump to 2.3.11.3
    
    Bug: https://bugs.gentoo.org/736617
    Package-Manager: Portage-3.0.2, Repoman-2.3.23
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                |   2 +
 net-mail/dovecot/dovecot-2.3.11.3.ebuild | 288 +++++++++++++++++++++++++++++++
 2 files changed, 290 insertions(+)

Comment 3 Eray Aslan 2020-08-14 09:46:31 UTC

Arches, please test and mark stable
=net-mail/dovecot-2.3.11.3

Target Keywords = ~alpha amd64 arm ~hppa ~ia64 ~mips ppc ppc64 s390 ~sparc x86

Comment 4 Sam James 2020-08-14 18:14:09 UTC

amd64 done

Comment 5 Sam James 2020-09-05 03:55:39 UTC

ppc64 done

Comment 6 Thomas Deutschmann (RETIRED) 2020-09-05 23:47:18 UTC

x86 stable

Comment 7 Thomas Deutschmann (RETIRED) 2020-09-06 00:06:44 UTC

New GLSA request filed.

Comment 8 GLSAMaker/CVETool Bot 2020-09-06 00:27:47 UTC

This issue was resolved and addressed in
 GLSA 202009-02 at https://security.gentoo.org/glsa/202009-02
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 9 Thomas Deutschmann (RETIRED) 2020-09-06 00:28:17 UTC

Re-opening for remaining architectures.

Comment 10 Sam James 2020-09-12 19:22:36 UTC

-r1 stabled for arm (with USE=unwind, all but dodgy backtrace tests pass).

Comment 11 Agostino Sarubbo 2020-09-18 07:54:53 UTC

ppc stable

Comment 12 Sam James 2020-12-13 03:38:24 UTC

s390 done

all arches done

Comment 13 John Helmert III 2020-12-13 06:49:45 UTC

Please cleanup.

Comment 14 NATTkA bot 2020-12-14 01:25:08 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 15 Larry the Git Cow 2020-12-21 14:20:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfc1038d3efd30e4ecab68e957e68a84606175c7

commit dfc1038d3efd30e4ecab68e957e68a84606175c7
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-12-21 14:20:28 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-12-21 14:20:28 +0000

    net-mail/dovecot: partial security cleanup
    
    Bug: https://bugs.gentoo.org/736617
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                |   4 -
 net-mail/dovecot/dovecot-2.3.10.1.ebuild | 288 ------------------------------
 net-mail/dovecot/dovecot-2.3.7.2.ebuild  | 291 -------------------------------
 3 files changed, 583 deletions(-)

Comment 16 Larry the Git Cow 2020-12-21 14:36:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9c810739029ebce491020ab8d319b7330aa168e

commit c9c810739029ebce491020ab8d319b7330aa168e
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-12-21 14:29:38 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-12-21 14:35:58 +0000

    package.mask: mask vulnerable dovecot version
    
    masked instead of removing until mail-filter/dovecot_deleted_to_trash
    is treecleaned to prevent tree breakage (bugs #756217)
    
    Bug: https://bugs.gentoo.org/736617
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)

Comment 17 Larry the Git Cow 2021-01-21 08:37:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=340756b94cf702eeb0aa29f3ecef649cf226bb80

commit 340756b94cf702eeb0aa29f3ecef649cf226bb80
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2021-01-21 08:35:23 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2021-01-21 08:36:58 +0000

    net-mail/dovecot: remove vulnerable version. cleanup done
    
    Bug: https://bugs.gentoo.org/736617
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                          |   2 -
 net-mail/dovecot/dovecot-2.2.36.4.ebuild           | 287 ---------------------
 .../dovecot/files/dovecot-userdb-passwd-fix.patch  |  18 --
 3 files changed, 307 deletions(-)

Comment 18 John Helmert III 2021-01-21 17:59:55 UTC

All done!