Vulnerability identified in Dovecot and Pigeonhole
We have been made aware of a vulnerability in Dovecot and Pigeonhole packages that if exploited can lead to leaking private information or remote code execution.
All Dovecot versions prior to 2.3.7.2 and 2.2.36.4 are affected along with Pigeonhole prior to version 0.5.7.2.
Technical Overview
CVE-2019-11500
In affected versions, IMAP and ManageSieve protocol parsers do not properly handle NUL byte ('\0') when scanning data in quoted strings. This can lead to out-of-bounds writes and remote code execution.
This vulnerability allows for out-of-bounds writes to objects stored on the heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login phase, allowing a sufficiently skilled attacker to perform complicated attacks that can lead to leaking private information or remote code execution.
The exploitation of this bug is very difficult to observe, as it does not necessarily cause a crash and also attempts for its exploitation are not directly evident from logs.
However exploitation of this vulnerability seems difficult, as the attacker cannot control the position of arbitrary heap-overwrite, but the attacker will end up generating DOS or DDOS threat by trying over and over again in an attempt to hit a working area until fixed.
This bug is best observed using Valgrind to see the out of bounds read with the following snippet:
perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\"\"\000".("x"x1020)."\\A\")\n"' | nc localhost 14
Mitigation
There is no workaround for the issue and all users are recommended to update to the latest Patch Release. We recommend to stop dovecot service if running on the server but not in use.
We at Ucartz , always encourage its customers to pursue the best practices of security to keep their systems updated, protected and patched against recognized vulnerabilities.
Official security advisories
https://dovecot.org/pipermail/dovecot-news/2019-August/000418.html
https://usn.ubuntu.com/4110-1/#update-instructions
https://security-tracker.debian.org/tracker/CVE-2019-11500
https://access.redhat.com/security/cve/cve-2019-11500
If you have any queries regarding the patching/updates on Ucartz infrastructure, you can contact us through the support ticket.
