OXDC-ADV-2024-0002

Metadata

  • Document type: OX Dovecot Pro Security Advisory
  • Publisher: Open-Xchange GmbH
  • Classification: TLP:GREEN
  • Publication Date: 2024-09-10
  • Current version: 4
  • Version status: Final
  • Aggregate severity: Medium

References

Vulnerabilities

CVE-2024-23184: Excessive CPU usage with a large number of address headers

  • CVE reference: CVE-2024-23184open in new window
  • Internal reference: DOV-6464
  • CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
  • Discovery date: 2024-01-30

Description

Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue.

Product status

Last affected
ProductsCVSS-VectorCVSS Base Score
OX Dovecot Pro core 2.3.21CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N5.0

Threats

Impact

An external attacker can send specially crafted messages that consume target system resources and cause outage.

Exploit status

No publicly available exploits are known.

Remediation

Vendor fix (2024-08-30)
For products
  • OX Dovecot Pro core 2.3.21.1
  • OX Dovecot Pro core 3.0.0

One can implement restrictions on address headers on MTA component preceding Dovecot.