MurgiH1:1204962Open-Xchange: Command Injection via STARTTLS in SMTP
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
During our research into the security of email servers at Münster
University of Applied Sciences, we found a command injection
vulnerability related to STARTTLS in Dovecot. See the attached
advisory for details.
The vulnerability allows a MITM attacker between a mail client and
Dovecot to inject unencrypted commands into the encrypted TLS
context, redirecting user credentials and mails to the attacker. An
attacker needs to have sending permissions on the Dovecot server.
We have also attached a test script (buftest.py) for you to reproduce this
vulnerability yourself. Usage is pretty simple, call:
python3 buftest.py <hostname> --smtp --smtp-port <port>
and watch the output, it should tell you if the server is still
vulnerable. Call the script without parameters for more usage information.
Impact
A MITM attacker can potentially steal SMTP user credentials and mails.
Related
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N