Open-Xchange OX Dovecot Uncontrolled Resource Consumption Vulnerability via Excessive RFC 2231 MIME Parameters
Vulnerability
A vulnerability exists in Open-Xchange Dovecot Pro and Dovecot CE versions 2.4.0, 2.4.1, 2.4.3, 3.0.2, 3.0.5, 3.1.0, 3.1.2, 3.1.3, and 3.1.4. When the LMTP service processes mail messages with an excessive amount of RFC 2231 MIME parameters, it leads to excessive CPU usage. This issue can be exploited by sending a suitably formatted email before authentication, causing the ManageSieve service to allocate large amounts of memory, or by using the NOOP command in the IMAP protocol to create excessive memory usage, potentially leading to a denial-of-service condition.
Impact
Exploitation of this vulnerability causes excessive CPU usage during mail delivery, which can disrupt normal operations and degrade performance.
Remediation
Users can upgrade to OX Dovecot Pro versions 3.0.5, 3.1.4 or OX Dovecot CE version 2.4.3, where this issue has been addressed. Alternatively, MTA capabilities can be used to limit RFC 2231 MIME parameters in mail messages.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.