OXDC-ADV-2024-0001

Metadata

Document type: OX Dovecot Pro Security Advisory
Publisher: Open-Xchange GmbH
Classification: TLP:GREEN
Publication Date: 2024-09-02
Current version: 3
Version status: Final
Aggregate severity: Medium

References

Vulnerabilities

CVE-2024-25584: SMTP/Submission server accepts bad <LF>.<LF> end of data symbol (SMTP Smuggling)

CVE reference: CVE-2024-25584open in new window
Internal reference: DOV-6394
CWE: CWE-345 (Insufficient Verification of Data Authenticity)
Discovery date: 2023-12-28
Researcher credits: Hanno Böck <hanno@hboeck.de>

Description

Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requires that it should always be CR LF DOT CR LF. This causes Dovecot to convert single mail with LF DOT LF in middle, into two emails when relaying to SMTP.

Product status

Last affected

Products	CVSS-Vector	CVSS Base Score
OX Dovecot Pro core 2.3.21.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	5.3

Threats

Impact

Dovecot will split mail with LF DOT LF into two mails.

Exploit status

No publicly available exploits are known.

Remediation

Vendor fix (2024-05-08)

For products

OX Dovecot Pro core 3.0.0

Upgrade to latest released version.

# OXDC-ADV-2024-0001

# Metadata

# References

# Vulnerabilities

# CVE-2024-25584: SMTP/Submission server accepts bad <LF>.<LF> end of data symbol (SMTP Smuggling)

# Description

# Product status

# Last affected

# Threats

# Impact

# Exploit status

# Remediation

# Vendor fix (2024-05-08)

# For products