Bug 1912455 (CVE-2020-24386)

Summary: CVE-2020-24386 dovecot: IMAP hibernation function allows mail access
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, bennie.joubert, djez, janfrode, mhlavink, tcullum
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dovecot 2.3.13 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 20:38:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1912456, 1913534, 1913535    
Bug Blocks: 1912462    

Description Pedro Sampaio 2021-01-04 14:36:44 UTC 
A flaw was found in dovecot before version 2.3.13. When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server.

References:

https://www.openwall.com/lists/oss-security/2021/01/04/4
https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
Comment 1 Pedro Sampaio 2021-01-04 14:37:16 UTC 
Created dovecot tracking bugs for this issue:

Affects: fedora-all [bug 1912456]
Comment 3 Todd Cullum 2021-01-08 00:39:30 UTC 
Mitigation:

To mitigate this flaw, ensure that imap_hibernate_timeout is set to 0 or not set at all/commented out in both /etc/dovecot/dovecot.conf or /etc/dovecot/conf.d/20-imap.conf.
Comment 4 Todd Cullum 2021-01-08 00:47:33 UTC 
Upstream commit: https://github.com/dovecot/core/commit/62061e8cf68f506c0ccaaba21fd4174764ca875f
Comment 5 Todd Cullum 2021-01-08 01:16:02 UTC 
External References:

https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
Comment 9 errata-xmlrpc 2021-05-18 15:51:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1887 https://access.redhat.com/errata/RHSA-2021:1887
Comment 10 Product Security DevOps Team 2021-05-18 20:38:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-24386