#VU50017 Resource exhaustion in Mutt


Published: 2021-01-19 | Updated: 2021-01-26

Vulnerability identifier: #VU50017

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3181

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mutt
Client/Desktop applications / Office applications

Vendor: Mutt.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when handling email messages with sequences of semicolon characters in RFC822 address fields. A remote attacker can send a specially crafted email message, force the application to consume a huge amount of memory and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mutt: 2.0.1 - 2.0.4

External links
http://www.openwall.com/lists/oss-security/2021/01/19/10
http://gitlab.com/muttmua/mutt/-/commit/4a2becbdb4422aaffe3ce314991b9d670b7adf17
http://gitlab.com/muttmua/mutt/-/commit/939b02b33ae29bc0d642570c1dcfd4b339037d19
http://gitlab.com/muttmua/mutt/-/commit/d4305208955c5cdd9fe96dfa61e7c1e14e176a14
http://gitlab.com/muttmua/mutt/-/issues/323

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat Enterprise Linux 8 update for mutt
openEuler update for mutt
Arch Linux update for mutt
Debian update for mutt
Gentoo update for Mutt
Denial of service in Mutt
Ubuntu update for mutt
Resource exhaustion in mutt (Alpine package)