Multiple vulnerabilities in Dovecot IMAP server

1) NULL pointer dereference

EUVDB-ID: #VU27981

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10957

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing NOOP command. A remote attacker can send a specially crafted NOOP command to submission, submission-login or lmtp service, trigger a NULL pointer dereference and perform a denial of service attack.

PoC command:

``NOOP EE"FY``

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Dovecot: 2.3.0 - 2.3.10

External links

http://dovecot.org/pipermail/dovecot-news/2020-May/000438.html
http://seclists.org/oss-sec/2020/q2/122

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free

EUVDB-ID: #VU27983

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10958

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error when processing newline characters. A remote attacker can a specially crafted command to submission, submission-login or lmtp service and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Dovecot: 2.3.0 - 2.3.10

External links

http://seclists.org/oss-sec/2020/q2/122
http://dovecot.org/pipermail/dovecot-news/2020-May/000438.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU27984

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10967

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input passed via email message. A remote attacker can send a specially crafted email with empty quoted localpart and crash the submission or lmtp service.

PoC:

Send mail with envelope sender or recipient as ``<""@example.org>``.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Dovecot: 2.3.0 - 2.3.10

External links

http://seclists.org/oss-sec/2020/q2/122
http://dovecot.org/pipermail/dovecot-news/2020-May/000438.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.