New point-micro version
v2.3.5.2 2019-04-18 Timo Sirainen <tss@iki.fi>
* CVE-2019-10691: Trying to login with 8bit username containing
invalid UTF8 input causes auth process to crash if auth policy is
enabled. This could be used rather easily to cause a DoS. Similar
crash also happens during mail delivery when using invalid UTF8 in
From or Subject header when OX push notification driver is used.
Dear subscribers,
we're sharing our latest advisory with you and would like to thank
everyone who contributed in finding and solving those vulnerabilities.
Feel free to join our bug bounty programs (open-xchange, dovecot,
powerdns) at HackerOne. Please find patch for v2.3.5 attached,
or download new version.
Yours sincerely,
Aki Tuomi
Open-Xchange Oy
Open-Xchange Security Advisory 2019-04-18
Product: Dovecot
Vendor: OX Software GmbH
Internal reference: DOV-3173 (Bug ID)
Vulnerability type: CWE-176
Vulnerable version: 2.3.0 - 2.3.5.1
Vulnerable component: json encoder
Report confidence: Confirmed
Researcher credits: cPanel L.L.C.
Solution status: Fixed by Vendor
Fixed version: 2.3.5.2
Vendor notification: 2019-04-02
Solution date: 2019-04-11
Public disclosure: 2019-04-18
CVE reference: CVE-2019-10691
CVSS: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Vulnerability Details:
JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two ways.
Attacker can repeatedly crash Dovecot authentication process by logging
in using invalid UTF-8 sequence in username. This requires that auth
policy is enabled.
Crash can also occur if OX push notification driver is enabled and an
email is delivered with invalid UTF-8 sequence in From or Subject header.
In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not
cause problems in Dovecot itself. Target systems should be checked for
possible problems in dealing with such sequences.
See https://wiki.dovecot.org/Authentication/Policy for details on auth
policy support.
Risk:
Determined attacker can prevent authentication process from staying up
by keeping on attempting to log in with username containing invalid
UTF-8 sequence.
Steps to reproduce:
Configure dovecot with auth_policy_server_url and auth_policy_hash_nonce
set.
Attempt to log in with username containing an invalid UTF-8 sequence
Observe assert-crash in dovecot logs.
Solution:
Operators should update to the latest Patch Release or disable auth
policy support.
0001-lib-json-Escape-invalid-UTF-8-as-unicode-bytes.patch
From 973769d74433de3c56c4ffdf4f343cb35d98e4f7 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Tue, 2 Apr 2019 13:09:48 +0300
Subject: [PATCH 1/2] lib: json - Escape invalid UTF-8 as unicode bytes
This prevents dovecot from crashing if invalid UTF-8 input
is given.
---
src/lib/json-parser.c | 12 ++++++++----
src/lib/test-json-parser.c | 8 ++++----
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/lib/json-parser.c b/src/lib/json-parser.c
index 677091d64..e7846a329 100644
--- a/src/lib/json-parser.c
+++ b/src/lib/json-parser.c
@@ -803,9 +803,13 @@ void json_append_escaped_data(string_t *dest, const unsigned char *src, size_t s
for (i = 0; i < size;) {
bytes = uni_utf8_get_char_n(src+i, size-i, &chr);
- /* refuse to add invalid data */
- i_assert(bytes > 0 && uni_is_valid_ucs4(chr));
- json_append_escaped_ucs4(dest, chr);
- i += bytes;
+ if (bytes > 0 && uni_is_valid_ucs4(chr)) {
+ json_append_escaped_ucs4(dest, chr);
+ i += bytes;
+ } else {
+ str_append_data(dest, UNICODE_REPLACEMENT_CHAR_UTF8,
+ UTF8_REPLACEMENT_CHAR_LEN);
+ i++;
+ }
}
}
diff --git a/src/lib/test-json-parser.c b/src/lib/test-json-parser.c
index bae6fb202..9ce1e489b 100644
--- a/src/lib/test-json-parser.c
+++ b/src/lib/test-json-parser.c
@@ -267,20 +267,20 @@ static void test_json_append_escaped(void)
string_t *str = t_str_new(32);
test_begin("json_append_escaped()");
- json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7");
- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0);
+ json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff");
+ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0);
test_end();
}
static void test_json_append_escaped_data(void)
{
static const unsigned char test_input[] =
- "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7";
+ "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff";
string_t *str = t_str_new(32);
test_begin("json_append_escaped()");
json_append_escaped_data(str, test_input, sizeof(test_input)-1);
- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0);
+ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0);
test_end();
}
Fixed in revision 21498.