Sendmail DNS Map Initialization Flaw May Let Remote Users Crash the System
|
|
SecurityTracker Alert ID: 1007564
|
|
CVE Reference: CAN-2003-0688
(Links to External Site)
|
Updated: Aug 26 2003
|
Original Entry Date: Aug 25 2003
|
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 8.12 - 8.12.8
|
Description: A vulnerability was reported in certain versions of sendmail when using DNS maps in the sendmail configuration file. A remote user may be able to cause the mail service to crash or (in theory) execute arbitrary code.
Versions 8.12.x prior to version 8.12.9 are affected, but only when using DNS maps in the 'sendmail.cf' file.
It is reported that
the dns_parse_reply() function improperly initializes RESOURCE_RECORD_T data structures. If sendmail receives a DNS reply where
the reply size is not the reported size of the reply packet, the dns_free_data() function in the 'sm_resolve.c' file will attempt
to free random memory addresses. This may cause sendmail to crash. The report indicates that this flaw may in theory allow a remote
user to execute arbitrary code, but that is not confirmed in the report.
Oleg Bulyzhin is credited with reporting this flaw.
|
Impact: A remote user may be able to return a DNS reply to sendmail that will cause the mail service to crash or [potentially/theoretically] execute arbitrary code.
|
Solution: According to the vendor, the flaw was fixed in version 8.12.9 and was not reported as a security fix because, at the time, was not
considered to be security relevant. The vendor now strongly recommends that you upgrade or apply the patch available at:
http://www.sendmail.org/dnsmap1.html
|
Vendor URL: www.sendmail.org/dnsmap1.html (Links to External Site)
|
Cause: Resource error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 25 Aug 2003 14:28:41 -0400
Subject: http://www.sendmail.org/dnsmap1.html
|
> DNS map problem in 8.12.x before 8.12.9
> There is a potential problem in sendmail 8.12.8 and earlier sendmail 8.12.x
> versions with respect to DNS maps. The bug did not exist in versions before
> 8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9,
> released March 29, 2003 but not labeled as a security fix as it wasn't
> believed to be a security bug:
>
>
> Properly initialize data structure for dns maps to avoid various
> errors, e.g., looping processes. Problem noted by
> Maurice Makaay of InterNLnet B.V.
>
> Note that only FEATURE(`enhdnsbl') uses a DNS map. We do not have an assessment
> whether this problem is exploitable, however, if you use a DNS map and an 8.12
> version older than 8.12.9, then either upgrade (strongly recommended) or apply
> the trivial patch given below.
>
> This problem has been reported to FreeBSD by Oleg Bulyzhin
http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/54367
|
|
