FreeBSD : Dovecot -- Multiple vulnerabilities (37d106a8-15a4-483e-8247-fcb68b16eaf8)

high Nessus Plugin ID 136706

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Aki Tuomi reports :

Vulnerability Details : Sending malformed NOOP command causes crash in submission, submission-login or lmtp service.

Risk : Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted MTA.

Steps to reproduce : Send ``NOOP EE'FY`` to submission port, or similarly malformed command.

Vulnerability Details :

Sending command followed by sufficient number of newlines triggers a use-after-free bug that might crash submission-login, submission or lmtp service.

Risk :

Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted MTA.

Steps to reproduce :

This can be currently reproduced with ASAN or Valgrind. Reliable way to crash has not yet been discovered.

Vulnerability Details : Sending mail with empty quoted localpart causes submission or lmtp component to crash.

Risk : Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad sender or recipient address.

Steps to reproduce : Send mail with envelope sender or recipient as <''@example.org>.

Workaround : For submission there is no workaround, but triggering the bug requires valid credentials. For lmtp, one can implement sufficient filtering on MTA level to prevent mails with such addresses from ending up in LMTP delivery.

Solution

Update the affected package.

See Also

https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html

http://www.nessus.org/u?3f67388d

Plugin Details

Severity: High

ID: 136706

File Name: freebsd_pkg_37d106a815a4483e8247fcb68b16eaf8.nasl

Version: 1.4

Type: local

Published: 5/19/2020

Updated: 5/13/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2020-10967

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2020-10957

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:dovecot, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/18/2020

Vulnerability Publication Date: 4/2/2020

Reference Information

CVE: CVE-2020-10957, CVE-2020-10958, CVE-2020-10967