Dovecot up to 2.3.20 Address Header resource consumption

Summaryinfo

A vulnerability marked as critical has been reported in Dovecot. This affects an unknown function of the component Address Header Handler. The manipulation leads to resource consumption. This vulnerability is listed as CVE-2024-23184. The attack may be initiated remotely. In addition, an exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Dovecot. It has been rated as critical. This issue affects an unknown code of the component Address Header Handler. The manipulation with an unknown input leads to a resource consumption vulnerability. Using CWE to declare the problem leads to CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Impacted is availability. The summary by CVE is:

Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.

The weakness was presented by Aki Tuomi. The advisory is shared at seclists.org. The identification of this vulnerability is CVE-2024-23184 since 01/12/2024. The exploitation is known to be easy. The attack may be initiated remotely. Technical details are unknown but a public exploit is available. MITRE ATT&CK project uses the attack technique T1499 for this issue.

The exploit is available at packetstormsecurity.com. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 207760 (AlmaLinux 8 : dovecot (ALSA-2024:6973)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 2.3.21.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (207760). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Mail Server Software

Name

• Dovecot

Version

• 0.99.13
• 0.99.14
• 1.0
• 1.0 Beta2
• 1.0 Beta3
• 1.0 Beta7
• 1.0 Rc29
• 1.0.1
• 1.0.2
• 1.0.3
• 1.0.4
• 1.0.5
• 1.0.6
• 1.0.7
• 1.0.8
• 1.0.9
• 1.0.10
• 1.0.12
• 1.0.beta2
• 1.0.beta3
• 1.0.beta7
• 1.0.beta8
• 1.0.rc1
• 1.0.rc2
• 1.0.rc3
• 1.0.rc4
• 1.0.rc5
• 1.0.rc6
• 1.0.rc7
• 1.0.rc8
• 1.0.rc9
• 1.0.rc10
• 1.0.rc11
• 1.0.rc12
• 1.0.rc13
• 1.0.rc14
• 1.0.rc15
• 1.0.rc29
• 1.0beta2
• 1.0beta3
• 1.1
• 1.1.0
• 1.1.1
• 1.1.2
• 1.1.3
• 1.1.4
• 1.1.5
• 1.1.6
• 1.2.0
• 1.2.1
• 1.2.2
• 1.2.3
• 1.2.4
• 1.2.5
• 1.2.6
• 1.2.7
• 1.2.8
• 1.2.9
• 1.2.10
• 1.2.11
• 1.2.12
• 1.2.13
• 1.2.14
• 1.2.15
• 1.2.16
• 2.0.0
• 2.0.1
• 2.0.2
• 2.0.3
• 2.0.4
• 2.0.5
• 2.0.6
• 2.0.7
• 2.0.8
• 2.0.9
• 2.0.10
• 2.0.11
• 2.0.12
• 2.0.13
• 2.0.14
• 2.0.15
• 2.1
• 2.1.0
• 2.1.1
• 2.1.2
• 2.1.3
• 2.1.4
• 2.1.5
• 2.1.6
• 2.1.7
• 2.1.10
• 2.1.11
• 2.1.12
• 2.1.13
• 2.1.14
• 2.1.15
• 2.2
• 2.2.0
• 2.2.1
• 2.2.2
• 2.2.3
• 2.2.4
• 2.2.5
• 2.2.6
• 2.2.13
• 2.2.17
• 2.2.27
• 2.2.29
• 2.2.34
• 2.2.36.1
• 2.2.36.3
• 2.2.36.4
• 2.3.0
• 2.3.4.0
• 2.3.4.1
• 2.3.5.0
• 2.3.5.1
• 2.3.5.2
• 2.3.7.1
• 2.3.7.2
• 2.3.9.0
• 2.3.9.1
• 2.3.9.2
• 2.3.9.3
• 2.3.10.1
• 2.3.11.3
• 2.3.13
• 2.3.15
• 2.3.19
• 2.3.20

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion