[Dovecot] SSL renegotiation vulnerability
Steinar Bang
sb at dod.no
Wed Oct 26 11:43:39 EEST 2011
>>>>> Steinar Bang <sb at dod.no>:
>>>>> Timo Sirainen <tss at iki.fi>:
>> I don't know if I'm doing something wrong, but I can't even cause a
>> DoS. Even while all imap-login processes are eating 100% CPU (almost
>> 500 handshakes/second), I can successfully log in with another client.
> Are you using the tool linked to in the article, to stress the server?
> http://www.thc.org/thc-ssl-dos/
Here's what the article says about stressing dovecot:
"Alle servertjenester benytter SSL kan i utgangspunktet være
berørt. Digi.no har testet verktøyet mot en eldre, intern server som
kjører Linux. Angrepet mot Apache/HTTPD var mislykket, fordi SSL
Renegotiation var deaktivert som standard. Men en angrep mot en
POP3S-basert (kryptert e-post) tjeneste levert av serverprogramvaren
Dovecot, kjørte CPU-lasten i taket med over tusen «handshakes» i
sekundet. Angrepet førte ikke til at hele maskinen ble utilgjengelig,
men POP3S-tjenesten ble i praksis ubrukelig så lenge angrepet varte."
A quick translate:
All services using SSL can be affected. Digi.no has tested the tool
against an old, internal server running Linux. The attach against
Apache httpd failed, because SSL Renegotiation was deactivated by
default. But an attach against a POP3S (encrypted email) service
delivered by the server program Dovecot, ran the CPU-load into the
roof with over a thousand "Handshakes" per second. The attack didn't
cause the computer to be inaccessible, but the POP3S-service was
unusable for the duration of the attack.
So it looks like they didn't test IMAPS access, only POP3S.
More information about the dovecot
mailing list