Sign-up

ID

VAR-201803-1087


CVE

CVE-2017-15130


TITLE

dovecot Resource management vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-012758

DESCRIPTION

A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart. dovecot Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Dovecot is an open source IMAP and POP3 mail server based on Linux/UNIX-like systems. ========================================================================== Ubuntu Security Notice USN-3587-2 April 02, 2018 dovecot vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 ESM Summary: Several security issues were fixed in Dovecot. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Dovecot incorrectly handled parsing certain email addresses. (CVE-2017-14461) It was discovered that Dovecot incorrectly handled TLS SNI config lookups. A remote attacker could possibly use this issue to cause Dovecot to crash, resulting in a denial of service. (CVE-2017-15130) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 ESM: dovecot-core 1:2.0.19-0ubuntu2.5 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/usn/usn-3587-2 https://usn.ubuntu.com/usn/usn-3587-1 CVE-2017-14461, CVE-2017-15130 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4130-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 02, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : dovecot CVE ID : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132 Debian Bug : 888432 891819 891820 Several vulnerabilities have been discovered in the Dovecot email server. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-14461 Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that Dovecot does not properly parse invalid email addresses, which may cause a crash or leak memory contents to an attacker. Only Dovecot configurations containing local_name { } or local { } configuration blocks are affected. CVE-2017-15132 It was discovered that Dovecot contains a memory leak flaw in the login process on aborted SASL authentication. For the oldstable distribution (jessie), these problems have been fixed in version 1:2.2.13-12~deb8u4. For the stable distribution (stretch), these problems have been fixed in version 1:2.2.27-3+deb9u2. We recommend that you upgrade your dovecot packages. For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqZzelfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T8fg/+KmUzgEXDQFSnWOmSt+8GXFB08C2XtXmopMuej/1tjkZZ7B04vXfkgYZ9 u7zICbM56VrTmnXOYnLuXjqLrzGO0Y9jX+Z5G4BSw0TgP+g6ME72ZvqxuE4IKQqi QlaKTX86B1AMpzvkLrhwXlArJDr7pJzOonFJds6rKtVA4OvY4/fAAWrH89BFchet VwdO5rngcd/qnAYVOZglTMfgVlzxvenx+0fbQ6JFS6T8ODOFSsnwth64u3KY8yYj 4PGTBqX4m+2S2q2qGinueBgHNUV4RK71Zw1QYDa2gMBQR3HtlMnDhmQ4uYCvKP04 Z1GJYX6dMxMSWPKC2WecrdCSV+QAdMlYypKbhqcLA4LHcdPR+v35oQT4X/SYd2WS Zf50KMYUm9Q3YiOHVDrJo+o21hX4g8hRw1wdewZz+wyQ1n1TOlVtRh4vmACKRzNx 7bUayEvVU3q3VQd+dDH2Bl+TBiO7RB5/b2pHp8vHwAlVX00jYSSnoLUKT0L4BQ54 +1DZ8j88OFKDxTgOsbk19rhfraY7iejAjHZDVnJBwC/tB9REG6DOrDIG4OJqTKw4 sP1JaHryOGXzOf/8h61rY5HAuwofGkAZN7S+Bel0+zGYJvIcSyxpBKvJB/0TDNjm E5KphLFG9RGVmdeVkQzG6tGUMnMXxFrAD5U3hlzUsNGLLA+RE78= =Yh09 -----END PGP SIGNATURE-----

Trust: 2.43

sources: NVD: CVE-2017-15130 // JVNDB: JVNDB-2017-012758 // CNVD: CNVD-2018-05070 // PACKETSTORM: 147005 // PACKETSTORM: 146647 // PACKETSTORM: 146656

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-05070

AFFECTED PRODUCTS

vendor:dovecotmodel:dovecotscope:ltversion:2.2.34

Trust: 1.6

vendor:canonicalmodel:ubuntu linuxscope:eqversion:17.10

Trust: 1.6

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:14.04

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:16.04

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:canonicalmodel:ubuntuscope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:timo sirainenmodel:dovecotscope:ltversion:2.2.34

Trust: 0.8

sources: CNVD: CNVD-2018-05070 // JVNDB: JVNDB-2017-012758 // CNNVD: CNNVD-201803-092 // NVD: CVE-2017-15130

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-15130
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-15130
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-05070
value: LOW

Trust: 0.6

CNNVD: CNNVD-201803-092
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2017-15130
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-05070
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2017-15130
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-05070 // JVNDB: JVNDB-2017-012758 // CNNVD: CNNVD-201803-092 // NVD: CVE-2017-15130

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.0

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-399

Trust: 0.8

sources: JVNDB: JVNDB-2017-012758 // NVD: CVE-2017-15130

THREAT TYPE

remote

Trust: 0.8

sources: PACKETSTORM: 147005 // PACKETSTORM: 146647 // CNNVD: CNNVD-201803-092

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201803-092

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012758

PATCH
title:[SECURITY] [DLA 1333-1] dovecot security updateurl:https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html
Trust: 0.8
title:DSA-4130url:https://www.debian.org/security/2018/dsa-4130
Trust: 0.8
title:[Dovecot-news] v2.2.34 releasedurl:https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
Trust: 0.8
title:USN-3587-1url:https://usn.ubuntu.com/3587-1/
Trust: 0.8
title:USN-3587-2url:https://usn.ubuntu.com/3587-2/
Trust: 0.8
title:Patch for dovecot denial of service vulnerability (CNVD-2018-05070)url:https://www.cnvd.org.cn/patchInfo/show/121071
Trust: 0.6
title:Dovecot Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78880
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-05070 // 
            
            
            
            JVNDB: JVNDB-2017-012758 // 
            
            
            
            CNNVD: CNNVD-201803-092

EXTERNAL IDS
db:NVDid:CVE-2017-15130
Trust: 3.3
db:JVNDBid:JVNDB-2017-012758
Trust: 0.8
db:CNVDid:CNVD-2018-05070
Trust: 0.6
db:CNNVDid:CNNVD-201803-092
Trust: 0.6
db:PACKETSTORMid:147005
Trust: 0.1
db:PACKETSTORMid:146647
Trust: 0.1
db:PACKETSTORMid:146656
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-05070 // 
            
            
            
            JVNDB: JVNDB-2017-012758 // 
            
            
            
            PACKETSTORM: 147005 // 
            
            
            
            PACKETSTORM: 146647 // 
            
            
            
            PACKETSTORM: 146656 // 
            
            
            
            CNNVD: CNNVD-201803-092 // 
            
            
            
            NVD: CVE-2017-15130

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2017-15130
Trust: 1.7
url:https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html
Trust: 1.6
url:https://usn.ubuntu.com/3587-2/
Trust: 1.6
url:https://www.debian.org/security/2018/dsa-4130
Trust: 1.6
url:https://usn.ubuntu.com/3587-1/
Trust: 1.6
url:http://seclists.org/oss-sec/2018/q1/205
Trust: 1.6
url:https://www.dovecot.org/list/dovecot-news/2018-february/000370.html
Trust: 1.6
url:https://bugzilla.redhat.com/show_bug.cgi?id=1532356
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-15130
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-14461
Trust: 0.3
url:https://usn.ubuntu.com/usn/usn-3587-1
Trust: 0.2
url:https://usn.ubuntu.com/usn/usn-3587-2
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/dovecot/1:2.2.9-1ubuntu2.4
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/dovecot/1:2.2.22-1ubuntu2.7
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/dovecot/1:2.2.27-3ubuntu1.3
Trust: 0.1
url:https://www.debian.org/security/faq
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-15132
Trust: 0.1
url:https://www.debian.org/security/
Trust: 0.1
url:https://security-tracker.debian.org/tracker/dovecot
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-05070 // 
            
            
            
            JVNDB: JVNDB-2017-012758 // 
            
            
            
            PACKETSTORM: 147005 // 
            
            
            
            PACKETSTORM: 146647 // 
            
            
            
            PACKETSTORM: 146656 // 
            
            
            
            CNNVD: CNNVD-201803-092 // 
            
            
            
            NVD: CVE-2017-15130

CREDITS
Ubuntu
Trust: 0.2
sources:
            
            
            PACKETSTORM: 147005 // 
            
            
            
            PACKETSTORM: 146647

SOURCES
db:CNVDid:CNVD-2018-05070
db:JVNDBid:JVNDB-2017-012758
db:PACKETSTORMid:147005
db:PACKETSTORMid:146647
db:PACKETSTORMid:146656
db:CNNVDid:CNNVD-201803-092
db:NVDid:CVE-2017-15130

LAST UPDATE DATE
2024-08-14T13:46:13.338000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-05070date:2018-03-13T00:00:00
db:JVNDBid:JVNDB-2017-012758date:2018-04-13T00:00:00
db:CNNVDid:CNNVD-201803-092date:2019-10-23T00:00:00
db:NVDid:CVE-2017-15130date:2019-10-03T00:03:26.223

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-05070date:2018-03-13T00:00:00
db:JVNDBid:JVNDB-2017-012758date:2018-04-13T00:00:00
db:PACKETSTORMid:147005date:2018-04-02T16:54:55
db:PACKETSTORMid:146647date:2018-03-05T22:23:00
db:PACKETSTORMid:146656date:2018-03-05T23:45:22
db:CNNVDid:CNNVD-201803-092date:2018-03-07T00:00:00
db:NVDid:CVE-2017-15130date:2018-03-02T15:29:00.273