CVE 2019 7524 Buffer overflow when reading extension header from Dovecot index files
Last modified: May 13, 2020
We were made aware of a CVE in Dovecot Versions 2.0.14 - 2.3.5 that involves using Solr on Thursday, March 28th 2019.
70 — 70.0.68
76 — EOL
78 — 78.0.20
CURRENT — 78.0.20
RELEASE — 78.0.20
STABLE — 78.0.20
According to the vendor, the risk involves a local
root privilege escalation or executing arbitrary code in Dovecot process context.
The following lines in
dovecot.conf are affected:
How to determine if your server is up to date
The updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for this changelog entry with the following command:
rpm -q --changelog dovecot | grep CVE-2019-7524
This should give you output resembling the following:
- Patch for CVE-2019-7524
Dovecot Solr is an opt-in option that can be installed from the Mange Plugins interface of WHM.
If you have previously installed this plugin, we recommend uninstalling it from your cPanel & WHM until we have released patched versions.
In WHM, navigate to the WHM Plugins interface (WHM >> Home » cPanel » Manage Plugins) and uninstall Solr.
Official Upstream Security Report
https://www.dovecot.org/pipermail/dovecot-news/2019-March/000403.html Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-2964 (Bug ID) Vulnerability type: CWE-120 Vulnerable version: 2.0.14 - 2.3.5 Vulnerable component: fts, pop3-uidl-plugin Report confidence: Confirmed Researcher credits: Found in internal testing Solution status: Fixed by Vendor Fixed version: 126.96.36.199, 188.8.131.52 Vendor notification: 2019-02-05 Solution date: 2019-03-21 Public disclosure: 2019-03-28 CVE reference: CVE-2019-7524 CVSS: 3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C (8.8) Vulnerability Details: When reading FTS or POP3-UIDL header from dovecot index, the input buffer size is not bound, and data is copied to target structure causing stack overflow. Risk: This can be used for local root privilege escalation or executing arbitrary code in dovecot process context. This requires ability to directly modify dovecot indexes. Steps to reproduce: Produce dovecot.index.log entry that creates an FTS header which has more than 12 bytes of data. Trigger dovecot indexer-worker or run doveadm index. Dovecot will crash. Mitigations: Since 2.3.0 dovecot has been compiled with stack smash protection, ASLR, read-only GOT tables and other techniques that make exploiting this bug much harder. Solution: Operators should update to the latest Patch Release. The only workaround is to disable FTS and pop3-uidl plugin.