Open-Xchange OX Dovecot Uncontrolled Resource Consumption Vulnerability via NOOP Command

A denial-of-service vulnerability has been identified in Open-Xchange Dovecot Pro and Community Edition versions 2.3.0, 3.0.2, 3.1.0, and 2.4.0. The issue arises when the NOOP command is sent with approximately 4000 parentheses, leading to an excessive memory allocation of around 1MB per connection. This additional memory usage can persist if the command is not terminated with a line feed, allowing an attacker to create multiple connections and potentially exhaust the server's memory resources. Such exploitation could disrupt the Dovecot process and its proxied connections, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability can cause excessive memory usage, leading to a denial-of-service condition by terminating the Dovecot process and disrupting its proxied connections.

Reproduction

To reproduce this vulnerability, send a NOOP command with 4000 parentheses to an affected Dovecot server. The server will allocate approximately 1MB of memory per connection. Longer commands can cause the client to be disconnected. If the command is not sent with a terminating line feed, the memory allocation can persist for a longer period.

Remediation

Users are advised to upgrade to a fixed version. For OX Dovecot Pro, the fixed version is 3.0.5, 3.1.4, and 2.3.22.1. For OX Dovecot CE, the fixed version is 2.4.3.