Lucene search

K
hackeroneMurgiH1:1204962
HistoryMay 21, 2021 - 11:46 a.m.

Open-Xchange: Command Injection via STARTTLS in SMTP

2021-05-2111:46:11
murgi
hackerone.com
$350
189

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.004 Low

EPSS

Percentile

72.3%

During our research into the security of email servers at Münster
University of Applied Sciences, we found a command injection
vulnerability related to STARTTLS in Dovecot. See the attached
advisory for details.

The vulnerability allows a MITM attacker between a mail client and
Dovecot to inject unencrypted commands into the encrypted TLS
context, redirecting user credentials and mails to the attacker. An
attacker needs to have sending permissions on the Dovecot server.

We have also attached a test script (buftest.py) for you to reproduce this
vulnerability yourself. Usage is pretty simple, call:

python3 buftest.py <hostname> --smtp --smtp-port <port>

and watch the output, it should tell you if the server is still
vulnerable. Call the script without parameters for more usage information.

Impact

A MITM attacker can potentially steal SMTP user credentials and mails.

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.004 Low

EPSS

Percentile

72.3%