CVE-2024-23184

EUVD-2024-20703

10.09.2024, 15:15

Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 64%

Debian Releases

Debian Product

Codename

dovecot

bookworm	1:2.3.19.1+dfsg1-2.1+deb12u1 fixed
bookworm (security)	1:2.3.19.1+dfsg1-2.1+deb12u1 fixed
bullseye	vulnerable
bullseye (security)	1:2.3.13+dfsg1-2+deb11u2 fixed
buster	not-affected
forky	1:2.4.2+dfsg1-2 fixed
sid	1:2.4.2+dfsg1-2 fixed
stretch	not-affected
trixie	1:2.4.1+dfsg1-6+deb13u2 fixed
trixie (security)	1:2.4.1+dfsg1-6+deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

dovecot

bionic	not-affected
focal	not-affected
jammy	Fixed 1:2.3.16+dfsg1-3ubuntu2.4 released
noble	Fixed 1:2.3.21+dfsg1-2ubuntu6 released
trusty	not-affected
xenial	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

dovecot23

suse enterprise sap 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP7	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP7	2.3.15-150200.65.1 fixed

dovecot23-backend-mysql

suse enterprise sap 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP7	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP7	2.3.15-150200.65.1 fixed

dovecot23-backend-pgsql

suse enterprise sap 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP7	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP7	2.3.15-150200.65.1 fixed

dovecot23-backend-sqlite

suse enterprise sap 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP7	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP7	2.3.15-150200.65.1 fixed

dovecot23-devel

suse enterprise sap 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP7	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP7	2.3.15-150200.65.1 fixed

dovecot23-fts

suse enterprise sap 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP7	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP7	2.3.15-150200.65.1 fixed

dovecot23-fts-lucene

suse enterprise sap 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP7	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP7	2.3.15-150200.65.1 fixed

dovecot23-fts-solr

suse enterprise sap 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP7	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP7	2.3.15-150200.65.1 fixed

dovecot23-fts-squat

suse enterprise sap 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise sap 15 SP7	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP2	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP3	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP4	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP5	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP6	2.3.15-150200.65.1 fixed
suse enterprise server 15 SP7	2.3.15-150200.65.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

dovecot

RHEL 8	1:2.3.16-6.el8_10 fixed
RHEL 9	1:2.3.16-11.el9_4.1 fixed

dovecot-devel

RHEL 8	1:2.3.16-6.el8_10 fixed
RHEL 9	1:2.3.16-11.el9_4.1 fixed

dovecot-mysql

RHEL 8	1:2.3.16-6.el8_10 fixed
RHEL 9	1:2.3.16-11.el9_4.1 fixed

dovecot-pgsql

RHEL 8	1:2.3.16-6.el8_10 fixed
RHEL 9	1:2.3.16-11.el9_4.1 fixed

dovecot-pigeonhole

RHEL 8	1:2.3.16-6.el8_10 fixed
RHEL 9	1:2.3.16-11.el9_4.1 fixed

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2024/oxdc-adv-2024-0002.json

http://seclists.org/fulldisclosure/2024/Aug/17

http://www.openwall.com/lists/oss-security/2024/08/15/3

https://lists.debian.org/debian-lts-announce/2024/09/msg00002.html