7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
In function rpa_read_buffer
, the condition in
if (p > end)
return 0;
len = *p++;
is not strict enough
It should be
if (p >= end)
return 0;
len = *p++;
The fix from https://github.com/dovecot/core/commit/69ad3c902ea4bbf9f21ab1857d8923f975dc6145 is not enough
The ASAN stack trace is
=================================================================
==27414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000006be at pc 0x00010fd2dd33 bp 0x7ffedff66f00 sp 0x7ffedff66ef8
READ of size 1 at 0x6040000006be thread T0
#0 0x10fd2dd32 in rpa_read_buffer mech-rpa.c:226
#1 0x10fd2d757 in rpa_parse_token3 mech-rpa.c:283
#2 0x10fd2c44b in mech_rpa_auth_phase2 mech-rpa.c:504
#3 0x10fc99d79 in LLVMFuzzerTestOneInput fuzz-auth-server.c:169
Steps to reproduce should be
(echo 'AUTH RPA'; echo -ne
'`\x11\x06\x09`\x86H\x01\x86\xf8s\x01\x01\x01\x00\x04\x00\x00\x01';
echo -ne '`\x11\x06\x09`\x86H\x01\x86\xf8s\x01\x01\x00\x04A@A\x00') | nc 127.0.0.1 110
This overread could cause a crash, but as an off by one, it is difficult
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P