Debian Patches Two Dovecot Vulnerabilities
A recent discovery has exposed critical vulnerabilities in the Dovecot mail server, potentially allowing attackers to exploit the IMAP implementation and disrupt service. These vulnerabilities, identified as CVE-2024-23184 and CVE-2024-23185, can lead to denial-of-service (DoS) attacks by overwhelming the server with excessive address headers or very large headers.
Dovecot is a popular open-source IMAP and POP3 server for Linux and other Unix-like operating systems. It is primarily used to provide email services to users, allowing them to access their emails using various email clients.
Dovecot Vulnerabilities Details
CVE-2024-23184
It was discovered that Dovecot incorrectly handled consumption of internal resources when parsing a large number of address headers (e.g. From, To, Cc, Bcc, etc.). A remote attacker can send emails with a large number of address headers to consume excessive system resources, ultimately leading to a denial of service.
CVE-2024-23185
It was discovered that Dovecot incorrectly handled consumption of internal resources when parsing overly large email headers. Similarly, a remote attacker can send emails with overly large headers to trigger resource exhaustion and cause a denial of service.
Protecting Your Dovecot Server
By taking prompt action to update your Dovecot package to the latest patched version, you can avoid the risk of falling victim to these vulnerabilities. The Debian security team has released security updates to address these Dovecot vulnerabilities in recent updates. For those running Debian 12 “Bookworm”, updating to version 1:2.3.19.1+dfsg1-2.1+deb12u1 is highly recommended.
For organizations relying on older Linux versions, consider utilizing TuxCare’s Extended Lifecycle Support (ELS). This service offers up to five years of security patching beyond the end-of-life (EOL) date for over 140 packages, including Dovecot, Linux kernel, glibc, OpenSSL, Python, OpenJDK, and more.
TuxCare offers extended support for the following Linux distributions: CentOS 6, 7, and 8, CentOS Stream 8, Oracle Linux 6 and 7, and Ubuntu 16.04 and 18.04.
Source: DSA 5752-1