A critical vulnerability, identified by the Common Vulnerabilities and Exposures number CVE-2023-4875, has been discovered in the Mutt mail user agent (MUA) versions >1.5.2 and < 2.2.12. This vulnerability is caused by a null pointer dereference bug when composing an email from a specially crafted draft message. Exploiting this vulnerability may lead to a denial of service (DoS) attack, potentially causing the Mutt application to crash.

In this post, we will explore the details of this vulnerability, how it can be exploited, and the steps Mutt users can take to protect their systems from this issue. We will also provide links to the original references and resources related to the issue.

Vulnerability Details

Mutt is a popular text-based MUA that provides a simple and efficient interface for managing and handling emails. In versions of Mutt ranging from 1.5.2 to 2.2.11, a null pointer dereference bug exists when a user attempts to compose an email from a specially crafted draft message.

The cause of this vulnerability lies in the handling of the 'References' header while parsing email headers during the composition process. The problematic code snipplet can be found in the 'mutt_parse_references()' function in the 'mutt/headers.c' source file.

Code Snipplet

void mutt_parse_references (struct ListHead *refs, char *s)
{
  struct List *tmp;
  char *m, *n;

  for (m = n = s; *m; m++)
  {
    SKIPWS (m);
    if (*m)
    {
      for (n = m; *n && !ISSPACE (*n) && *n != ','; n++)
        ;
      if (*n)
        *n++ = ;
    
      tmp = new_list_item (NULL); // Here, tmp could be NULL if malloc fails
      tmp->data = safe_strdup (m);
      list_insert_tail (refs, tmp); // NULL pointer dereference
      m = n;
    }
  }
}

In the above code snippet, the 'tmp' pointer is initialized with the 'new_list_item()' function, but there is no proper error handling in case the memory allocation fails, resulting in a NULL pointer dereference.

Exploitation

An attacker could exploit this vulnerability by crafting a malicious draft email message containing specific data in the 'References' header and tricking the victim into composing an email from this preexisting draft message.

When the Mutt application processes the draft message and encounters the crafted 'References' header, it would trigger the null pointer dereference, causing the application to crash and resulting in a denial of service situation.

Remediation

The Mutt development team has addressed this vulnerability in Mutt version 2.2.12. Users of Mutt versions 1.5.2 through 2.2.11 are strongly advised to update their installation to the latest version as soon as possible.

For users who are unable to update right away, a workaround could include disabling the use of preexisting draft messages for composing new emails and making sure to verify all received draft messages for signs of tampering before attempting to process them.

Resources and Original References

1. Mutt Homepage - Official website of Mutt, containing the latest release information and download links.
2. CVE-2023-4875 - CVE entry for the null pointer dereference vulnerability in Mutt.
3. Mutt Security Announcements - Official listing of security issues present in Mutt, including CVE-2023-4875.
4. GitHub Issue Tracker - Official issue tracker for Mutt on GitHub, where users can submit bug reports and patches for consideration.

Conclusion

The CVE-2023-4875 vulnerability in Mutt represents a significant risk to users, as it could result in denial of service attacks when handling specially crafted draft messages. To protect themselves from this threat, users should update their Mutt installation to version 2.2.12 or later and adhere to recommended safe practices, such as verifying received draft messages before further processing them.

Timeline

Published on: 09/09/2023 15:15:00 UTC
Last modified on: 09/27/2023 15:19:00 UTC