CVE-2020-12674
Description
A specially crafted RPA authentication request with zero-length message crashes Dovecot auth service, causing denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A specially crafted RPA authentication request with zero-length message crashes Dovecot auth service, causing denial of service.
Vulnerability
In Dovecot versions before 2.3.11.3, the RPA (Remote Passphrase Authentication) mechanism fails to properly handle zero-length messages. When a zero-length message is received, the code mishandles the length, leading to a buffer over-read (CWE-126) and an assertion failure that crashes the auth service. This affects Dovecot 2.2.x and possibly earlier versions, as indicated in reference [2]. The vulnerability was fixed in version 2.3.11.3.
Exploitation
An unauthenticated remote attacker can send a specially crafted RPA authentication request containing a zero-length message to the Dovecot server. The attacker does not need any prior authentication or special network position; only network access to the Dovecot service is required. Upon receiving the malformed request, the auth process crashes due to the assertion failure, resulting in a denial of service.
Impact
Successful exploitation leads to a crash of the Dovecot auth service. Repeated crashes can prevent legitimate users from authenticating, effectively denying access to email services. The impact is limited to availability (denial of service); there is no confidentiality or integrity compromise [1][2].
Mitigation
The vulnerability is fixed in Dovecot version 2.3.11.3, which was released on 2020-08-12. Users should upgrade to this version or later. Distributions such as Ubuntu have provided updated packages via USN-4456-1 [1]. No workarounds are documented, and the CVE is not listed on the KEV (Known Exploited Vulnerabilities) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
30- Dovecot/Dovecotdescription
- Range: <2.3.11.3
- osv-coords28 versionspkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot22&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/dovecot22&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
< 2.3.10-lp151.2.12.1+ 27 more
- (no CPE)range: < 2.3.10-lp151.2.12.1
- (no CPE)range: < 2.3.10-lp152.2.3.1
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.2.31-19.22.1
- (no CPE)range: < 2.3.10-4.27.1
- (no CPE)range: < 2.3.10-4.27.1
- (no CPE)range: < 2.3.10-16.1
- (no CPE)range: < 2.3.11.3-17.5.1
- (no CPE)range: < 2.3.10-4.27.1
- (no CPE)range: < 2.3.10-4.27.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Dovecot's RPA mechanism implementation accepts a zero-length message, which is mishandled and causes an assert-crash in the auth service."
Attack vector
An unauthenticated remote attacker sends a specially formatted RPA authentication request containing a zero-length message. The RPA mechanism implementation mishandles this zero length, leading to an assert-crash in the auth process [ref_id=1]. The attack is network-based, requires no privileges, and can be delivered over IMAP or POP3 (the reproduction uses port 110) [ref_id=1]. By repeatedly sending such requests, an adversary can prevent legitimate logins.
Affected code
The vulnerable component is the auth service in Dovecot's RPA mechanism implementation. The advisory notes the vulnerable version is 2.2 and the fixed version is 2.3.11.3 [ref_id=1]. The patch is not included in the bundle, so the exact function or file path is not specified.
What the fix does
The advisory states the fix is available in Dovecot version 2.3.11.3 [ref_id=1]. No patch diff is provided in the bundle, so the exact code change is unknown. The advisory recommends upgrading to the fixed version or, as a workaround, disabling RPA authentication entirely [ref_id=1].
Preconditions
- configThe Dovecot server must have the RPA authentication mechanism enabled (default in some configurations)
- authNo authentication or prior session is required
- networkAttacker must be able to reach the Dovecot auth service over the network (e.g., IMAP or POP3 ports)
- inputAttacker sends a crafted RPA request with a zero-length message field
Reproduction
The advisory includes a reproduction command: `(echo 'AUTH RPA'; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x01\x00\x04\x00\x00\x01' | base64 -w 0; echo ; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x00\x03A@A\x00' | base64 -w 0; echo ; echo QUIT) | nc 127.0.0.1 110` [ref_id=1]. This sends a specially formatted RPA authentication request over POP3 to crash the auth process.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202009-02mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/4456-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4456-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4745mitrevendor-advisoryx_refsource_DEBIAN
- dovecot.org/securitymitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/08/msg00024.htmlmitremailing-listx_refsource_MLIST
- www.openwall.com/lists/oss-security/2020/08/12/3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.