ASA-2019-00532 – Dovecot: Out-of-bounds heap memory write in IMAP and ManageSieve protocol parsers

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00532

Identifier(s)

ASA-2019-00532, DOV-3278, CVE-2019-11500

Title

Out-of-bounds heap memory write in IMAP and ManageSieve protocol parsers

Vendor(s)

OX Software GmbH

Product(s)

Dovecot

Affected version(s)

All versions of Dovecot prior to 2.3.7.2 and 2.2.36.4

Fixed version(s)

Dovecot versions 2.3.7.2 and 2.2.36.4

Proof of concept

Yes

Description

IMAP and ManageSieve protocol parsers do not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes.

Technical details

This vulnerability allows for out-of-bounds writes to objects stored on the heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login phase, allowing sufficiently skilled attacker to perform complicated attacks that can lead to leaking private information or remote code execution. Abuse of this bug is very difficult to observe, as it does not necessarily cause a crash. Attempts to abuse this bug are not directly evident from logs.

Steps to reproduce:

This bug is best observed using valgrind to see the out of bounds read with following snippet:

perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\"
\"\000".("x"x1020)."\\A\")\n"' | nc localhost 143

Credits

Nick Roessler (University of Pennsylvania) and Rafi Rubin (University of Pennsylvania)

Reference(s)

Critical Dovecot and Pigeonhole vulnerability
https://www.openwall.com/lists/oss-security/2019/08/28/3

CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
https://dovecot.org/pipermail/dovecot/2019-August/116873.html

Bug 240174 – mail/dovecot: Update to 2.3.7.2 (Fixes CVE-2019-11500)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240174

lib-imap: Don’t accept strings with NULs
https://github.com/dovecot/core/commit/eda0f7f0b9a713d931ba41c4364c6a24d035cd8e

lib-imap: Make sure str_unescape() won’t be writing past allocated memory
https://github.com/dovecot/core/commit/e5e3a8fed685af7ed45d584f5406e9dd2a490669

lib-managesieve: Don’t accept strings with NULs
https://github.com/dovecot/pigeonhole/commit/16e047c54ca23f6fd585734c4f11c683df4a21eb

lib-managesieve: Make sure str_unescape() won’t be writing past allocated memory
https://github.com/dovecot/pigeonhole/commit/10c5cbe87aa0bd7daee11561a3b24460f9a65bec

CVE-2019-11500 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-11500

CVE-2019-11500 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11500.html

CVE-2019-11500
https://security-tracker.debian.org/tracker/CVE-2019-11500

CVE-2019-11500 | SUSE
https://www.suse.com/security/cve/CVE-2019-11500

CVE-2019-11500
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11500

CVE-2019-11500
https://nvd.nist.gov/vuln/detail/CVE-2019-11500

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 4, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.