CLD-249 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-15132 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) dovecot
Deficiency Type SECURITY
Date Created 2018-01-25 15:49:38
Date Last Modified 2018-01-25 19:01:34

Version Specific Information:

Cucumber 1.0 i686fixed in dovecot-2.2.33.2-i686-3
Cucumber 1.0 x86_64fixed in dovecot-2.2.33.2-x86_64-3

Cucumber 1.1 i686 fixed in dovecot-2.2.33.2-i686-3
Cucumber 1.1 x86_64 fixed in dovecot-2.2.33.2-x86_64-3

Details:

=================================== Overview ===================================

A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL
authentication results in a memory leak in dovecot's auth client used by login
processes. The leak has impact in high performance configuration where same
login processes are reused and can cause the process to crash due to memory
exhaustion.

================================ Initial Report ================================

From oss-security@lists.openwall.com:

Score: 5.3, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected versions: 2.0 up to 2.2.33 and 2.3.0
Fixed versions: 2.2.34 (not released yet), 2.3.1 (not released yet)

We have identified a memory leak in Dovecot auth client used by login
processes. The leak has impact in high performance configuration where
same login processes are reused and can cause the process to crash due to
memory exhaustion.

Patch to apply this issue can be found from
https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch

To our best knowledge, this patch should apply to all versions.

This issue can be mitigated on vulnerably systems by limiting login process to
single request per process, which is also the default value.

Regards,
Aki Tuomi
Dovecot oy

================================= Our Analysis =================================

----- Affected Products -----
Dovecot 2.0 up and including to 2.2.33 and 2.3.0 that have not had the patch
from
https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
applied are vulnerable to this. This includes dovecot as originally packaged in
Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
This vulnerability can be used to cause a denial of service in certain high
performance configurations. It should be noted that the default configuration
is not affected; only systems that have been explicitly configured to resue
the login process are vulnerable.

----- Fix for this Vulnerability -----
This vulnerability had been fixed in dovecot versions 2.2.34 and 2.3.1 (as of
Thu Jan 25 16:29:32 EST 2018 these have not been released yet). It can also be
fixed by applying the patch from
https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch.

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt.