Bug 1145559 (CVE-2019-11500)

Summary: VUL-0: CVE-2019-11500: dovecot22, dovecot23: IMAP and ManageSieve protocol parsers do not properly handle NUL byte
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Peter Varkoly <varkoly>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: atoptsoglou, cschinabeck, stefan.kunze, sven.herbers-lee, varkoly
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/239593/
Whiteboard: CVSSv3:SUSE:CVE-2019-11500:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv2:NVD:CVE-2019-11500:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2019-11500:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 7 Alexandros Toptsoglou 2019-08-29 07:32:02 UTC 
now public through oss-sec 


Open-Xchange Security Advisory 2019-08-14
 
Product: Dovecot
Vendor: OX Software GmbH
 
Internal reference: DOV-3278
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: All versions prior to 2.3.7.2 and 2.2.36.4
Vulnerable component: IMAP and ManageSieve protocol parsers (before and
after login)
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.7.2, 2.2.36.4
Researcher credits: Nick Roessler and Rafi Rubin, University of Pennsylvania
Vendor notification: 2019-04-13
Solution date: 2019-06-05
Public disclosure: 2019-08-28
CVE reference: CVE-2019-11500
CVSS: 8.1 (CVSS3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
 
Vulnerability Details:

IMAP and ManageSieve protocol parsers do not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes.

Risk:

This vulnerability allows for out-of-bounds writes to objects stored on
the heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login
phase, allowing sufficiently skilled attacker to perform complicated
attacks that can lead to leaking private information or remote code
execution. Abuse of this bug is very difficult to observe, as it does
not necessarily cause a crash. Attempts to abuse this bug are not
directly evident from logs.

Steps to reproduce:

This bug is best observed using valgrind to see the out of bounds read
with following snippet:

perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\"
\"\000".("x"x1020)."\\A\")\n"' | nc localhost 143


Solution:

Operators should update to the latest Patch Release. There is no
workaround for the issue.
Comment 8 Swamp Workflow Management 2019-08-29 11:20:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1145559) was mentioned in
https://build.opensuse.org/request/show/726988 Factory / dovecot23
Comment 9 Robert Frohl 2019-09-03 12:39:39 UTC 
tracking these codestreams as affected:
- SUSE:SLE-12:Update
- SUSE:SLE-15:Update 
- SUSE:SLE-15-SP1:Update
Comment 15 Swamp Workflow Management 2019-09-24 19:12:38 UTC 
SUSE-SU-2019:2454-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1145559
CVE References: CVE-2019-11500
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    dovecot22-2.2.31-19.17.1
SUSE OpenStack Cloud 8 (src):    dovecot22-2.2.31-19.17.1
SUSE OpenStack Cloud 7 (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Server 12-SP5 (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Server 12-SP4 (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    dovecot22-2.2.31-19.17.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    dovecot22-2.2.31-19.17.1
SUSE Enterprise Storage 5 (src):    dovecot22-2.2.31-19.17.1
SUSE Enterprise Storage 4 (src):    dovecot22-2.2.31-19.17.1
HPE Helion Openstack 8 (src):    dovecot22-2.2.31-19.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2019-10-02 16:23:28 UTC 
SUSE-SU-2019:2514-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1133624,1133625,1145559
CVE References: CVE-2019-11494,CVE-2019-11499,CVE-2019-11500
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    dovecot23-2.3.3-8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2019-10-07 19:14:07 UTC 
openSUSE-SU-2019:2278-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1133624,1133625,1145559
CVE References: CVE-2019-11494,CVE-2019-11499,CVE-2019-11500
Sources used:
openSUSE Leap 15.0 (src):    dovecot23-2.3.3-lp150.14.1
Comment 20 Swamp Workflow Management 2019-10-07 19:15:35 UTC 
openSUSE-SU-2019:2281-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1133624,1133625,1145559
CVE References: CVE-2019-11494,CVE-2019-11499,CVE-2019-11500
Sources used:
openSUSE Leap 15.1 (src):    dovecot23-2.3.3-lp151.2.6.1
Comment 21 Peter Varkoly 2019-11-13 12:32:08 UTC 
Updates are released.