CVE 2019 7524 Buffer overflow when reading extension header from Dovecot index files


Last modified: August 20, 2019

Background Information

We were made aware of a CVE in Dovecot Versions 2.0.14 - 2.3.5 that involves using Solr on Thursday, March 28th 2019.

Releases

  • 70 — 70.0.68

  • 76 — EOL

  • 78 — 78.0.20

  • CURRENT — 78.0.20

  • RELEASE — 78.0.20

  • STABLE — 78.0.20

Impact

According to the vendor, the risk involves a local root privilege escalation or executing arbitrary code in Dovecot process context.

The following lines in dovecot.conf are affected:

1
2
dovecot.conf: mail_plugins = quota quota_clone zlib fts fts_solr
dovecot.conf: mail_plugins = $mail_plugins zlib imap_zlib quota_clone virtual  fts fts_solr

How to determine if your server is up to date

The updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for this changelog entry with the following command:

rpm -q --changelog dovecot | grep CVE-2019-7524

This should give you output resembling the following:

- Patch for CVE-2019-7524

Mitigation

Dovecot Solr is an opt-in option that can be installed from the Mange Plugins interface of WHM.

If you have previously installed this plugin, we recommend uninstalling it from your cPanel & WHM until we have released patched versions.

In WHM, navigate to the WHM Plugins interface (WHM >> Home » cPanel » Manage Plugins) and uninstall Solr.

Official Upstream Security Report

https://www.dovecot.org/pipermail/dovecot-news/2019-March/000403.html
Product: Dovecot
Vendor: OX Software GmbH
Internal reference: DOV-2964 (Bug ID)
Vulnerability type: CWE-120
Vulnerable version: 2.0.14 - 2.3.5
Vulnerable component: fts, pop3-uidl-plugin
Report confidence: Confirmed
Researcher credits: Found in internal testing
Solution status: Fixed by Vendor
Fixed version: 2.3.5.1, 2.2.36.3
Vendor notification: 2019-02-05
Solution date: 2019-03-21
Public disclosure: 2019-03-28
CVE reference: CVE-2019-7524
CVSS: 3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C (8.8)

Vulnerability Details:
When reading FTS or POP3-UIDL header from dovecot index, the input
buffer size is not bound, and data is copied to target structure causing
stack overflow.

Risk:
This can be used for local root privilege escalation or executing
arbitrary code in dovecot process context. This requires ability to
directly modify dovecot indexes.
Steps to reproduce:
Produce dovecot.index.log entry that creates an FTS header which has
more than 12 bytes of data.
Trigger dovecot indexer-worker or run doveadm index.
Dovecot will crash.

Mitigations:
Since 2.3.0 dovecot has been compiled with stack smash protection, ASLR,
read-only GOT tables and other techniques that make exploiting this bug
much harder.

Solution:
Operators should update to the latest Patch Release. The only workaround
is to disable FTS and pop3-uidl plugin.

Additional Documentation