Описание
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.
A flaw was found in Dovecot. Processing a large number of address headers (From, To, Cc, Bcc, etc) can be excessively CPU intensive. This flaw allows a remote attacker to trigger a denial of service.
Отчет
This issue is classified as moderate severity rather than important because, while it can result in significant performance degradation (e.g., high CPU usage and delays in processing emails with an excessive number of address headers), it does not directly compromise the confidentiality, integrity, or availability of the system in a critical way. The vulnerability primarily affects resource consumption (CPU time), which can lead to a potential denial-of-service (DoS) scenario, but only under specific conditions that require a large volume of headers to be processed. Moreover, the issue can be mitigated by setting limits on the number of address headers in the MTA, reducing the likelihood of exploitation.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | dovecot | Not affected | ||
| Red Hat Enterprise Linux 6 | dovecot | Out of support scope | ||
| Red Hat Enterprise Linux 7 | dovecot | Out of support scope | ||
| Red Hat Enterprise Linux 8 | dovecot | Fixed | RHSA-2024:6973 | 24.09.2024 |
| Red Hat Enterprise Linux 9 | dovecot | Fixed | RHSA-2024:6529 | 10.09.2024 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | dovecot | Fixed | RHSA-2024:6465 | 09.09.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.
Having a large number of address headers (From, To, Cc, Bcc, etc.) bec ...
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.
Уязвимость почтового сервера Dovecot, связанная с неограниченным распределением ресурсов, позволяющая нарушителю выполнить отказ в обслуживании
EPSS
6.5 Medium
CVSS3