In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.
Weakness
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Dovecot | Dovecot | * | 2.3.11.3 (excluding) |
| Red Hat Enterprise Linux 7 | RedHat | dovecot-1:2.2.36-6.el7_8.1 | * |
| Red Hat Enterprise Linux 8 | RedHat | dovecot-1:2.3.8-2.el8_2.2 | * |
| Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions | RedHat | dovecot-1:2.2.36-5.el8_0.3 | * |
| Red Hat Enterprise Linux 8.1 Extended Update Support | RedHat | dovecot-1:2.2.36-10.el8_1.2 | * |
| Dovecot | Ubuntu | bionic | * |
| Dovecot | Ubuntu | devel | * |
| Dovecot | Ubuntu | esm-infra-legacy/trusty | * |
| Dovecot | Ubuntu | esm-infra/bionic | * |
| Dovecot | Ubuntu | esm-infra/focal | * |
| Dovecot | Ubuntu | esm-infra/xenial | * |
| Dovecot | Ubuntu | focal | * |
| Dovecot | Ubuntu | precise/esm | * |
| Dovecot | Ubuntu | trusty | * |
| Dovecot | Ubuntu | trusty/esm | * |
| Dovecot | Ubuntu | upstream | * |
| Dovecot | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
References
- http://seclists.org/fulldisclosure/2021/Jan/18
- http://www.openwall.com/lists/oss-security/2020/08/12/1
- http://www.openwall.com/lists/oss-security/2021/01/04/3
- https://dovecot.org/security
- https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/
- https://security.gentoo.org/glsa/202009-02
- https://usn.ubuntu.com/4456-1/
- https://usn.ubuntu.com/4456-2/
- https://www.debian.org/security/2020/dsa-4745
- http://seclists.org/fulldisclosure/2021/Jan/18
- http://www.openwall.com/lists/oss-security/2020/08/12/1
- http://www.openwall.com/lists/oss-security/2021/01/04/3
- https://dovecot.org/security
- https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/
- https://security.gentoo.org/glsa/202009-02
- https://usn.ubuntu.com/4456-1/
- https://usn.ubuntu.com/4456-2/
- https://www.debian.org/security/2020/dsa-4745