#VU18400 Resource management error in Dovecot - CVE-2019-11499


Vulnerability identifier: #VU18400

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-11499

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Dovecot
Server applications / Mail servers

Vendor: Dovecot

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect resource management error within the submission-login when processing incorrect authentication messages over TLS secure channel. A remote attacker can send an invalid authentication message and crash the service.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Dovecot: 2.3.0 - 2.3.5.2

External links
https://dovecot.org/doc/NEWS-2.3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Cyber Recovery
OpenSUSE Linux update for dovecot23
OpenSUSE Linux update for dovecot23
Fedora 29 update for dovecot
Fedora 30 update for dovecot
Arch Linux update for dovecot
Resource management error in dovecot (Alpine package)
Multiple vulnerabilities in Dovecot
Ubuntu update for Dovecot