{"id":775,"date":"2021-07-23T12:37:51","date_gmt":"2021-07-23T12:37:51","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/cve-2019-7524-buffer-overflow-when-reading-extension-header-from-dovecot-index-files\/"},"modified":"2021-07-23T12:37:51","modified_gmt":"2021-07-23T12:37:51","slug":"cve-2019-7524-buffer-overflow-when-reading-extension-header-from-dovecot-index-files","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/cve-2019-7524-buffer-overflow-when-reading-extension-header-from-dovecot-index-files\/","title":{"rendered":"CVE 2019 7524 Buffer overflow when reading extension header from Dovecot index files"},"content":{"rendered":"<\/p>\n
\n
<\/div>\n
\n

Background Information<\/h2>\n

We were made aware of a CVE in Dovecot Versions 2.0.14 – 2.3.5 that involves using Solr on Thursday, March 28th 2019.<\/p>\n

Releases<\/h2>\n
    \n
  • \n

    70 \u2014 70.0.68<\/p>\n<\/li>\n

  • \n

    76 \u2014 EOL<\/p>\n<\/li>\n

  • \n

    78 \u2014 78.0.20<\/p>\n<\/li>\n

  • \n

    CURRENT \u2014 78.0.20<\/p>\n<\/li>\n

  • \n

    RELEASE \u2014 78.0.20<\/p>\n<\/li>\n

  • \n

    STABLE \u2014 78.0.20<\/p>\n<\/li>\n<\/ul>\n

    Impact<\/h2>\n

    According to the vendor, the risk involves a local root<\/code> privilege escalation or executing arbitrary code in Dovecot process context.<\/p>\n

    The following lines in dovecot.conf<\/code> are affected: <\/p>\n

    \n
    \n\n\n
    \n
    1\n<\/span>2\n<\/span><\/code><\/pre>\n<\/td>\n
    		\n
    dovecot<\/span>.conf<\/span>: mail_plugins<\/span> = quota<\/span> quota_clone<\/span> zlib<\/span> fts<\/span> fts_solr<\/span>\ndovecot<\/span>.conf<\/span>: mail_plugins<\/span> = $<\/span>mail_plugins<\/span> zlib<\/span> imap_zlib<\/span> quota_clone<\/span> virtual<\/span>  fts<\/span> fts_solr<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n
    How to determine if your server is up to date<\/h2>\n
    The updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for this changelog entry with the following command: <\/p>\n
    \n
    rpm -<\/span>q --changelog <\/span>dovecot |<\/span> grep CVE-<\/span>2019<\/span>-<\/span>7524<\/span><\/code><\/pre>\n<\/div>\n
    This should give you output resembling the following: <\/p>\n
    \n
    -<\/span> Patch for<\/span> CVE-<\/span>2019<\/span>-<\/span>7524<\/span><\/code><\/pre>\n<\/div>\n
    Mitigation<\/h2>\n
    Dovecot Solr is an opt-in option that can be installed from the Mange Plugins interface of WHM.<\/p>\n
    If you have previously installed this plugin, we recommend uninstalling it from your cPanel & WHM until we have released patched versions.<\/p>\n
    In WHM, navigate to the WHM Plugins interface (WHM >> Home \u00bb cPanel \u00bb Manage Plugins<\/em>) and uninstall Solr.<\/p>\n
    \n    
    \n<\/figure>\n
    Official Upstream Security Report<\/h2>\n
    \n
    https:\/\/<\/span>www.<\/span>dovecot.<\/span>org\/pipermail\/<\/span>dovecot-<\/span>news\/2019-March\/<\/span>000403<\/span>.<\/span>html\nProduct: Dovecot\nVendor: OX Software GmbH\nInternal reference: DOV-<\/span>2964<\/span> (Bug ID)\nVulnerability type: CWE-<\/span>120<\/span>\nVulnerable version: 2.0.14<\/span> -<\/span> 2.3.5<\/span>\nVulnerable component: fts, pop3-<\/span>uidl-<\/span>plugin\nReport confidence: Confirmed\nResearcher credits: Found in internal testing\nSolution status: Fixed by Vendor\nFixed version: 2.3.5.1<\/span>, 2.2.36.3<\/span>\nVendor notification: 2019<\/span>-<\/span>02<\/span>-<\/span>05<\/span>\nSolution date: 2019<\/span>-<\/span>03<\/span>-<\/span>21<\/span>\nPublic disclosure: 2019<\/span>-<\/span>03<\/span>-<\/span>28<\/span>\nCVE reference: CVE-<\/span>2019<\/span>-<\/span>7524<\/span>\nCVSS: 3.0<\/span>\/AV:L\/<\/span>AC:L\/PR:L\/<\/span>UI:N\/S:C\/<\/span>C:H\/I:H\/<\/span>A:H\/E:P\/<\/span>RL:O\/<\/span>RC:C (8.8<\/span>)\n\nVulnerability Details:\nWhen reading FTS or<\/span> POP3-<\/span>UIDL header from dovecot index, the input\nbuffer size is not<\/span> bound, and<\/span> data is copied to target structure causing\nstack overflow.<\/span>\n\nRisk:\nThis can be used for<\/span> local root privilege escalation or<\/span> executing\narbitrary code in dovecot process context.<\/span> This requires ability to\ndirectly modify dovecot indexes.<\/span>\nSteps to reproduce:\nProduce dovecot.<\/span>index.<\/span>log entry that creates an FTS header which has\nmore than 12<\/span> bytes of data.<\/span>\nTrigger dovecot indexer-<\/span>worker or<\/span> run doveadm index.<\/span>\nDovecot will crash.<\/span>\n\nMitigations:\nSince 2.3.0<\/span> dovecot has been compiled with stack smash protection, ASLR,\nread-<\/span>only GOT tables and<\/span> other techniques that make exploiting this bug\nmuch harder.<\/span>\n\nSolution:\nOperators should update to the latest Patch Release.<\/span> The only workaround\nis to disable FTS and<\/span> pop3-<\/span>uidl plugin.<\/span><\/code><\/pre>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
    Background Information We were made aware of a CVE in Dovecot Versions 2.0.14 – 2.3.5 that involves using Solr on Thursday, March 28th 2019. Releases 70 \u2014 70.0.68 76 \u2014 EOL 78 \u2014 78.0.20 CURRENT \u2014 78.0.20 RELEASE \u2014 78.0.20 STABLE \u2014 78.0.20 Impact According to the vendor, the risk involves a local root privilege …<\/p>\n","protected":false},"author":1,"featured_media":776,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/775"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=775"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/775\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/776"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=775"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=775"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}