Bug 2305909 (CVE-2024-23184)

Summary: CVE-2024-23184 dovecot: using a large number of address headers may trigger a denial of service
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akborder, redhat
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Dovecot. Processing a large number of address headers (From, To, Cc, Bcc, etc) can be excessively CPU intensive. This flaw allows a remote attacker to trigger a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2305911    
Bug Blocks:    

Description Robb Gatica 2024-08-19 20:45:39 UTC 
Vulnerability Details:
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue.

The main problem is that each header line's address is added to the end of a linked list. This is done by walking the whole linked list, which becomes more inefficient the more addresses there are.

Workaround:
One can implement restrictions on address headers on MTA component preceding Dovecot.

Fix:
Install non-vulnerable version of Dovecot. Patch can be found at https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
Comment 1 errata-xmlrpc 2024-09-09 01:29:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:6465 https://access.redhat.com/errata/RHSA-2024:6465
Comment 2 errata-xmlrpc 2024-09-10 11:38:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6529 https://access.redhat.com/errata/RHSA-2024:6529
Comment 3 errata-xmlrpc 2024-09-24 02:48:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6973 https://access.redhat.com/errata/RHSA-2024:6973