Dovecot remote DoS on TLS connections

2015.04.27
Credit: Hanno Böck
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2015-3420
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Hi, The current Dovecot (2.2.16) imap/pop3 server has an issue that handshake failures will lead to a crash of the login process. An example where this is triggered is if the server is configured to not allow SSLv3 connections and a client tries to connect with SSLv3 only. The reason is that the error handling routine will try to finish the handshake and that will crash. Details here: http://dovecot.org/pipermail/dovecot/2015-April/100618.html I had created a patch, one of the dovecot devs created a more thorough patch that will probably catch more error states properly: http://dovecot.org/tmp/diff (url likely not stable) Nothing is applied yet I think. I think this deserves a CVE. There is a related issue in openssl: It will crash instead of throwing an error if one tries to use a connection context that already failed. One could argue that this is not an openssl issue, because apps need to properly check errors. Matt Caswell has created a patch to let openssl handle these situations more gracefully: https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest cu, -- Hanno Böck http://hboeck.de/

References:

https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest
http://dovecot.org/pipermail/dovecot/2015-April/100618.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top