Open-Xchange: A malicious user can upload a malicious script through managesieve and trigger its execution in order to consume almost 100% of CPU (LMTP).

Summary

A malicious user can create a malicious sieve script (attached as “test.sieve”), upload it to the server through managesieve and set as active. Then the user can send several specially crafted messages to himself to trigger long script execution. The attacker has to send one message per server core to get close to using 100% of CPU. The attacker can then disconnect from the server, but the high CPU usage will persist. It doesn’t seem that the attack results in actual complete DoS, but it causes high resource consumption, which can result in financial loss or suspension of service from cloud provider (like in the case of Digital Ocean).

The problem

(Please open the test.sieve file and look at the contents). Sieve execution isn’t time-limited. Since the user can create a regex, even by using both a regex and a string less than 65536 symbols (limited by pigeonhole) the user comes close to macro time (around 200 ms of single-core execution on my laptop). It is then possible to simply repeat the match operation several times by duplicating the

if string :regex  "${final}" "${my_exp}"

If you repeat it 100 times, then one core will spend around 20 seconds on each letter to the malicious user.
When sieve was created, it was designed to be used without loops, because they could lead to a DoS from a malicious user. Then the MIME extension was introduced and it brought with itself a “foreverypart” loop. By using “foreverypart” and sending a message like the following, we can multiply the time of the execution even further.

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=

--
--
--
--
--
--

With the MIME part limit being in the thousands, the attacker can send (number of cores on server) messages and throttle CPU for days.

Solution

There needs to be a default limit for sieve execution or regexp execution. The former is probably better, since it can defend against problems with possible future sieve extensions. Sieve scripts that go over the limit should be flagged and deactivated.

Impact

High resource consumption / Server throttling / possible financial loss.