We are pleased to announce that Stalwart Mail Server is not vulnerable to the recently disclosed CVE-2024-34055 exploit, which affects Cyrus IMAP versions before 3.8.3 and 3.10.x before 3.10.0-rc1. This vulnerability allows authenticated attackers to cause unbounded memory allocation, potentially leading to a server crash through an Out-Of-Memory (OOM) condition.
Understanding the CVE-2024-34055 Exploit
The CVE-2024-34055 exploit leverages a specific weakness in the Cyrus IMAP server. By sending numerous LITERALs in a single command, an attacker can trigger excessive memory allocation. The vulnerability can be demonstrated with the following example:
A2 SEARCH BODY {1048576}
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
...
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
<cyrus crashes with oom>
In this scenario, the server is repeatedly asked to allocate large chunks of memory, eventually leading to an OOM crash.
Why Stalwart is Secure
Stalwart Mail Server is designed with security and robustness in mind, and it is not susceptible to the type of attacks outlined in CVE-2024-34055. Here’s why:
- Strict Parsers: Stalwart’s parsers are highly strict when reading input from the network. This strictness ensures that any malformed or malicious commands are promptly identified and handled without leading to excessive resource allocation.
- Extensive Fuzzing and Testing: All parsers in Stalwart have undergone rigorous fuzzing and testing. Fuzzing is a testing technique that involves providing invalid, unexpected, or random data inputs to the software to identify vulnerabilities. This meticulous testing regime ensures that Stalwart can robustly handle a wide range of inputs without compromising on stability or security.
- Written in Rust: Stalwart is developed using the Rust programming language, which offers inherent safety features. Rust’s ownership model and type system prevent many common vulnerabilities associated with memory management that are prevalent in languages like C. This makes Stalwart inherently less susceptible to memory-related exploits compared to other mail servers such as Cyrus and Dovecot.
Conclusion
At Stalwart, we prioritize security and reliability. Our commitment to using secure coding practices, comprehensive testing, and leveraging the advantages of Rust ensures that Stalwart Mail Server remains resilient against the latest threats. We encourage our users to continue enjoying the peace of mind that comes with knowing their mail server is robust against vulnerabilities like CVE-2024-34055.
For more information or support, please contact our team or visit our website. Stay secure with Stalwart!