(OpenBSD Issues Fix) Sendmail DNS Map Initialization Flaw May Let Remote Users Crash the System
|
|
SecurityTracker Alert ID: 1007573 |
|
SecurityTracker URL: http://securitytracker.com/id/1007573
|
|
CVE Reference:
CAN-2003-0688
(Links to External Site)
|
Date: Aug 26 2003
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 8.12 - 8.12.8
|
Description:
A vulnerability was reported in certain versions of sendmail when using DNS maps in the sendmail configuration file. A remote user may be able to cause the mail service to crash or (in theory) execute arbitrary code.
Versions 8.12.x prior to version 8.12.9 are affected, but only when using DNS maps in the 'sendmail.cf' file.
It is reported that the dns_parse_reply() function improperly initializes RESOURCE_RECORD_T data structures. If sendmail receives a DNS reply where the reply size is not the reported size of the reply packet, the dns_free_data() function in the 'sm_resolve.c' file will attempt to free random memory addresses. This may cause sendmail to crash. The report indicates that this flaw may in theory allow a remote user to execute arbitrary code, but that is not confirmed in the report.
Oleg Bulyzhin is credited with reporting this flaw.
|
Impact:
A remote user may be able to return a DNS reply to sendmail that will cause the mail service to crash or [potentially/theoretically] execute arbitrary code.
|
Solution:
The vendor reports that OpenBSD 3.2 shipped with sendmail 8.12.8 (the vulnerable version). OpenBSD 3.3 shipped with sendmail 8.12.9 which does not contain the flaw.
The vendor has released a fix in the OpenBSD 3.2-stable branch.
A patch for OpenBSD 3.2 is also available:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/016_sendmail.patch
The vendor notes that sendmail configurations that do not use the "enhdnsbl" feature are not affected. The default OpenBSD sendmail config does not use this feature, according to the vendor. The vendor advises that if you do not have a custom config that uses enhdnsbl, you do not need to apply the patch or update sendmail.
|
Vendor URL: www.sendmail.org/dnsmap1.html (Links to External Site)
|
Cause:
Resource error, State error
|
Underlying OS:
UNIX (OpenBSD)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 25 Aug 2003 15:20:00 -0400
Subject: Sendmail bug wrt DNS maps
|
There is a potential problem in the sendmail 8.12 series with respect
to DNS maps in sendmail 8.12.8 and earlier sendmail 8.12.x versions.
The bug did not exist in versions before 8.12 as the DNS map type
is new to 8.12. The bug was fixed in 8.12.9, released March 29,
2003 but not labeled as a security fix as it wasn't believed to be
a security bug at the time. Note that only FEATURE(`enhdnsbl')
uses a DNS map. We do not have an assessment whether this problem
is exploitable but we want to inform you just in case you distribute
sendmail 8.12.x versions before 8.12.9.
OpenBSD 3.2 shipped with sendmail 8.12.8 and thus has the bug.
OpenBSD 3.3 shipped with sendmail 8.12.9 and does *not* have the bug.
The problem has been fixed in the OpenBSD 3.2-stable branch.
In addition, a patch is available for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/016_sendmail.patch
Please note that this only affects sendmail configurations that use
the "enhdnsbl" feature. The default OpenBSD sendmail config does
*not* use this. Unless you have created a custom config that uses
enhdnsbl, you do not need to apply the patch or update sendmail.
|
|
