Aki Tuomi
2019-Dec-13 10:44 UTC
[Dovecot-news] CVE-2019-19722: Critical vulnerability in Dovecot
Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael Stilkerich Vendor notification: 2019-12-10 Solution date: 2019-12-12 Public disclosure: 2019-12-13 CVE reference: CVE-2019-19722 CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C) ? Vulnerability Details: Mail with group address as sender will cause a signal 11 crash in push notification drivers. Group address as recipient can cause crash in some drivers. ? Risk: Repeated delivery attempts are made for the problematic mail, causing queueing in MTA. ? Steps to reproduce: 1. Configure dovecot with push notifications enabled, such as OX push notification driver. This can also be observed with 3rd party plugin XAPS. 2. Send mail a group address as sender ? Solution: Operators should update to the latest Patch Release. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot-news/attachments/20191213/eb341a83/attachment.sig>
aki.tuomi at dovecot.fi
2019-Dec-13 14:17 UTC
[Dovecot-news] CVE-2019-19722: Critical vulnerability in Dovecot
> On 13/12/2019 12:44 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > Open-Xchange Security Advisory 2019-12-13 > ? > Product: Dovecot IMAP/POP3 Server > Vendor: OX Software GmbH > ? > Internal reference: DOV-3719 > Vulnerability type: NULL Pointer Dereference (CWE-476) > Vulnerable version: 2.3.9 > Vulnerable component: push notification driver > Report confidence: Confirmed > Solution status: Fixed by Vendor > Fixed version: 2.3.9.1 > Researcher credits: Frederik Schwan, Michael Stilkerich > Vendor notification: 2019-12-10 > Solution date: 2019-12-12 > Public disclosure: 2019-12-13 > CVE reference: CVE-2019-19722 > CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C) > ? > Vulnerability Details: > Mail with group address as sender will cause a signal 11 crash in push > notification drivers. Group address as recipient can cause crash in some > drivers. > ? > Risk: > Repeated delivery attempts are made for the problematic mail, causing > queueing in MTA. > ? > Steps to reproduce: > 1. Configure dovecot with push notifications enabled, such as OX push > notification driver. This can also be observed with 3rd party plugin XAPS. > 2. Send mail a group address as sender > ? > Solution: > Operators should update to the latest Patch Release.Turns out the fix was only partial fix, please update to 2.3.9.2 instead of 2.3.9.1. CVE remains the same. Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot-news/attachments/20191213/7851320d/attachment.sig>
Apparently Analagous Threads
- CVE-2019-19722: Critical vulnerability in Dovecot
- CVE-2021-33515: SMTP Submission service STARTTLS injection
- CVE-2021-33515: SMTP Submission service STARTTLS injection
- CVE-2020-24386: IMAP hibernation allows accessing other peoples mail
- CVE-2020-24386: IMAP hibernation allows accessing other peoples mail