OXDC-ADV-2024-0002
Metadata
- Document type: OX Dovecot Pro Security Advisory
- Publisher: Open-Xchange GmbH
- Classification: TLP:GREEN
- Publication Date: 2024-09-10
- Current version: 4
- Version status: Final
- Aggregate severity: Medium
References
Vulnerabilities
CVE-2024-23184: Excessive CPU usage with a large number of address headers
- CVE reference: CVE-2024-23184
- Internal reference: DOV-6464
- CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
- Discovery date: 2024-01-30
Description
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue.
Product status
Last affected
Products | CVSS-Vector | CVSS Base Score |
---|---|---|
OX Dovecot Pro core 2.3.21 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N | 5.0 |
Threats
Impact
An external attacker can send specially crafted messages that consume target system resources and cause outage.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2024-08-30)
For products
- OX Dovecot Pro core 2.3.21.1
- OX Dovecot Pro core 3.0.0
One can implement restrictions on address headers on MTA component preceding Dovecot.