Question Dovecot CVE-2020-12100

[Moe]

Hello Plesk,

Dovecot CVE-2020-12100: Do you already prepare an update to dovecot v2.3.13? >> [Dovecot-news] Dovecot v2.3.13 released

thanks

 

[Bitpalast]

The two or three bugs fixed with that update only cause issues under specific circumstances which are not in place in a standard installation and usage.

 

[Moe]

Affected product: Dovecot IMAP server
Internal reference: DOP-1849 (Bug ID)
Vulnerability type: Uncontrolled recursion (CWE-674)
Vulnerable version: 2.0
Vulnerable component: submission, lmtp, lda
Fixed version: 2.3.11.3
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-04-23
CVE reference: CVE-2020-12100
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details:
Receiving mail with deeply nested MIME parts leads to resource
exhaustion as Dovecot attempts to
parse it.

Risk:
Malicious actor can cause denial of service to mail delivery by
repeatedly sending mails with bad
content.

Workaround:
Limit MIME structures in MTA.

Solution:
Upgrade to fixed version.

 

[Bitpalast]

While that is true, actually the MTA (your smtp server) should already protect you from such mails.

 

[Tozz]

While that is true, actually the MTA (your smtp server) should already protect you from such mails.

Can you elaborate on that? Why should the MTA, eg Postfix, do anything with nested MIME parts?

 

[Bitpalast]

All mail is processed through your local MTA. As far as I have read, Postfix limits the number of MIME parts to 100 by default. This can be controlled by the MIME nesting parameter as described in

Postfix Configuration Parameters

So it should not be possible to get a mail processed that has more than a hundred in the first place. I'll be rejected before it is processed by Dovecot.