OXDC-ADV-2024-0002

Metadata

Document type: OX Dovecot Pro Security Advisory
Publisher: Open-Xchange GmbH
Classification: TLP:GREEN
Publication Date: 2024-09-10
Current version: 4
Version status: Final
Aggregate severity: Medium

References

Vulnerabilities

CVE-2024-23184: Excessive CPU usage with a large number of address headers

CVE reference: CVE-2024-23184open in new window
Internal reference: DOV-6464
CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
Discovery date: 2024-01-30

Description

Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue.

Product status

Last affected

Products	CVSS-Vector	CVSS Base Score
OX Dovecot Pro core 2.3.21	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N	5.0

Threats

Impact

An external attacker can send specially crafted messages that consume target system resources and cause outage.

Exploit status

No publicly available exploits are known.

Remediation

Vendor fix (2024-08-30)

For products

OX Dovecot Pro core 2.3.21.1
OX Dovecot Pro core 3.0.0

One can implement restrictions on address headers on MTA component preceding Dovecot.

# OXDC-ADV-2024-0002

# Metadata

# References

# Vulnerabilities

# CVE-2024-23184: Excessive CPU usage with a large number of address headers

# Description

# Product status

# Last affected

# Threats

# Impact

# Exploit status

# Remediation

# Vendor fix (2024-08-30)

# For products