SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(NetBSD Issues Fix) Sendmail Excessive Recursion in Processing Malformed MIME Messages Lets Remote Users Deny Service
SecurityTracker Alert ID:  1016302
SecurityTracker URL:  http://securitytracker.com/id/1016302
CVE Reference:   CVE-2006-1173   (Links to External Site)
Date:  Jun 15 2006
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 8.13.7
Description:   A vulnerability was reported in Sendmail. A remote user can cause denial of service conditions.

A remote user can send a specially crafted message containing malformed, deeply nested MIME content to cause excessive recursion, leading to stack exhaustion when the system attempts to deliver the message from the queue. Only mail delivered from the queue is affected. The system may fail to reattempt delivery of messages in the queue. Incoming mail is still accepted and delivered.

Also, if the system is configured to write uniquely named core dump files per process, the disk space may become filled with core dumps.

The vendor credits Frank Sheiness with reporting this vulnerability.
Impact:   A remote user may be able to stop the delivery of queued messages.
Solution:   NetBSD has released a fix.

The NetBSD advisory is available at:

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-017.txt.asc
Vendor URL:  www.sendmail.org/releases/8.13.7.html (Links to External Site)
Cause:   State error
Underlying OS:   UNIX (NetBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 14 2006 Sendmail Excessive Recursion in Processing Malformed MIME Messages Lets Remote Users Deny Service


 Source Message Contents
Date:  Wed, 14 Jun 2006 22:44:32 +0100
Subject:  NetBSD Security Advisory 2006-017: Sendmail malformed multipart MIME


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2006-017
		 =================================

Topic:		Sendmail malformed multipart MIME messages

Version:	NetBSD-current:	source prior to May 30, 2006
		NetBSD 3.0:	affected
		NetBSD 2.1:	affected
		NetBSD 2.0.*:	affected
		NetBSD 2.0:	affected
		pkgsrc:		sendmail-8.13.6nb2 and earlier
				sendmail-8.12.11nb2 and earlier

Severity:	Denial of service

Fixed:		NetBSD-current:		May 30, 2006
		NetBSD-3-0 branch:	June 14, 2006
					   (3.0.1 will include the fix)
		NetBSD-3   branch:	June 14, 2006
		NetBSD-2-1 branch:	June 14, 2006
					   (2.1.1 will include the fix)
		NetBSD-2-0 branch:	June 14, 2006
					   (2.0.4 will include the fix)
		NetBSD-2   branch:	June 14, 2006
		pkgsrc:			sendmail-8.13.6nb3 corrects this issue
					sendmail-8.12.11nb3 corrects this issue


Abstract
========

Sendmail is vulnerable to a denial of service condition in the handling of 
malformed multipart MIME messages.  This may allow a remote attacker 
to launch a denial of service attack against the sendmail host.

This vulnerability has been assigned CVE reference CVE-2006-1173.


Technical Details
=================

A denial of service condition is triggered when sendmail processes a
malformed multipart MIME message.  The message can cause the sendmail
process to exhaust its available per-process stack space and abort.
The sendmail server process is not impacted by the abnormal
termination of the child process handling the malformed mail, and will
continue to function. As such your MTA will continue processing mail.

However, an attacker can still cause a number of issues by repeatedly
triggering this vulnerability:

 - By sending multiple malformed MIME messages an attacker may be 
   able to consume disk space with core dump files.
 - Any malformed MIME messages will remain in the sendmail queue and 
   cause queue runs to abort.  This may impact the delivery of other
   messages in the queue.

Solutions and Workarounds
=========================

On NetBSD 2.0 and later, sendmail by default is bound to localhost
(127.0.0.0, ::1) only, and as such is not externally reachable.  Only
hosts on which sendmail has been configured for external mail
reception are externally exploitable, although hosts running sendmail
for local delivery can still be reached by local users.

It is recommended that all users of affected versions update their
sendmail to include the fix.

The following instructions describe how to upgrade your sendmail
binaries by updating your source tree and rebuilding and
installing a new version of sendmail.

* NetBSD-current:

	In response to this and previous issues, Sendmail was removed
	entirely from the NetBSD base system on 2006-05-30.  The
	default MTA has been switched to Postfix.  These changes will
	be included in NetBSD 4.0 and later releases, and will affect
	current users updating their systems and new snapshot installs
	built past this date.

	The decision to switch default MTA for 4.0 had already been
	taken after NetBSD-SA2006-010, however this most recent issue
	prompted the removal of sendmail prior to branching for the
	4.0 release, in order to minimise the risk and maintenance
	burden for any future sendmail issues.

	Users of NetBSD-current will need to migrate their mail
	configurations, either to using postfix in the base system, or
	to a fixed sendmail (or one of several other MTAs) available
	via pkgsrc.  The pkgsrc sendmail has more enabled and optional
	features than were or would ever be available in the base
	system sendmail, and it is likely that many sendmail sites
	were already using pkgsrc sendmail for this reason.

	As sendmail was removed from the base distribution before the
	fixes for this issue could be applied, it is recommended that
	users running NetBSD-current from before 2006-05-30 should
	perform a full release build and update their systems.  These
	users should should ensure that the obsolete and vulnerable
	sendmail binaries are removed from their systems when
	updating, via the postinstall utility.

	For more information on how to do this, see:
		http://www.netbsd.org/Documentation/current/

* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2006-06-14 should be upgraded from NetBSD 3.* sources dated
	2006-06-15 or later.

	The following files need to be updated from the
	netbsd-3 or netbsd-3-0 CVS branch:
		gnu/dist/sendmail/sendmail/deliver.c
		gnu/dist/sendmail/sendmail/mime.c
		gnu/dist/sendmail/sendmail/sendmail.h
		gnu/dist/sendmail/sendmail/version.c

	To update from CVS, re-build, and re-install sendmail:

		# cd src
		# cvs update -d -P -r <branch_name> gnu/dist/sendmail
		# cd gnu/usr.sbin/sendmail
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 2.*:

	Systems running NetBSD 2.* sources dated from before
	2006-06-14 should be upgraded from NetBSD 2.* sources dated
	2006-06-15 or later.

	The following files need to be updated from the
	netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:
		gnu/dist/sendmail/sendmail/deliver.c
		gnu/dist/sendmail/sendmail/mime.c
		gnu/dist/sendmail/sendmail/sendmail.h
		gnu/dist/sendmail/sendmail/version.c

	To update from CVS, re-build, and re-install sendmail:

		# cd src
		# cvs update -d -P -r <branch_name> gnu/dist/sendmail
		# cd gnu/usr.sbin/sendmail
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install



Thanks To
=========

CERT for notification and co-ordination of the issue.
Sendmail Consortium for supplying the patches to address the issue.
Frank Sheiness for finding the problem.

Revision History
================

	2006-06-14	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-017.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2006, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2006-017.txt,v 1.6 2006/06/14 19:50:37 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (NetBSD)

iQCVAwUBRJBpFD5Ru2/4N2IFAQIsNwP9EOHPpOXKmZ2B9XVRyD1cX2Qhls4M+BNN
4mgYMe8RGw0VkGGcR2J/mtxeHljIR5/Jkf5bTSVZ6pV+rsQolhGMFC0FZz/aUUjw
/8iJF7dCkzcPkPl45AsDpkWRWzKpoOlkogILr2LDfQjSpzunhJ4oW7uweRxrUgiS
Hp2/GOEUkh4=
=dzQY
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC