#VU59879 Input validation error in Cyrus IMAP Server - CVE-2021-33582


Vulnerability identifier: #VU59879

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-33582

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cyrus IMAP Server
Server applications / Other server solutions

Vendor: Carnegie Mellon University

Description

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input that is mishandled during hash-table interaction. A remote attacker can cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Cyrus IMAP Server: 3.0.0 - 3.4.1

External links
https://www.cyrusimap.org/imap/download/release-notes/index.html
https://github.com/cyrusimap/cyrus-imapd/commits/master
https://cyrus.topicbox.com/groups/announce/T3dde0a2352462975-M1386fc44adf967e072f8df13/cyrus-imap-3-4-2-3-2-8-and-3-0-16-released
https://github.com/cyrusimap/cyrus-imapd/security/advisories

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Amazon Linux AMI update for cyrus-imapd
Anolis OS update for cyrus-imapd (Anolis OS 8.2)
Anolis OS update for cyrus-imapd (Anolis OS 8.4)
Red Hat Enterprise Linux 8.1 Extended Update Support update for cyrus-imapd
Red Hat Enterprise Linux 8.2 Extended Update Support update for cyrus-imapd
Red Hat Enterprise Linux 8 update for cyrus-imapd
Denial of service in Cyrus IMAP