SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Postfix Vendors:   Postfix.org
(Vendor Issues Fix) Re: Postfix Mail Server Can Be Crashed By Remote Users Initiating Unsuccessful Sessions
SecurityTracker Alert ID:  1002758
SecurityTracker URL:  http://securitytracker.com/id/1002758
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 15 2001
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Postfix version 20010228-pl05, other versions are apparently affected
Description:   A denial of service vulnerability was reported in the Postfix mailer. A remote user can cause the mail server to consume all available memory and crash.

It is reported that a remote user can cause the Postfix smtpd to consume all available memory by initiating a large number of unsuccessful sessions. This is apparently due to the lack of a resource limit on the dynamically allocated SMTP session log.

Impact:   A remote user can cause the mail server to consume all available memory and crash.
Solution:   The vendor has released a patch that applies to any Postfix release that was issued in the year 2001. Fully patched releases will be made available shortly at various sites, including:

ftp://ftp.porcupine.org/mirrors/postfix-release/index.html

Releases:

snapshot-20011114
postfix-20010228-pl07

The patch is provided in the Source Message.

Vendor URL:  www.postfix.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 15 2001 Postfix Mail Server Can Be Crashed By Remote Users Initiating Unsuccessful Sessions



 Source Message Contents

Subject:  Postfix session log memory exhaustion bugfix


The Postfix SMTP server maintains a record of SMTP conversations
for debugging purposes. Depending on local configuration details
this record is mailed to the postmaster whenever an SMTP session
terminates with errors.

During code maintenance, a stupid error was introduced into the
code due to which the SMTP session log could grow to an unreasonable
size.   This stupid error made Postfix vulnerable to a memory
exhaustion attack.

This error is all my own fault and I take full responsibility for
it.

A similarly stupid memory exhaustion vulnerability was found in
the qmail SMTP server more than four years ago. It was never fixed.

The patch below applies to any Postfix release that was issued in
the year 2001. Fully patched releases will be made available via
the usual web sites listed in www.postfix.org.

Primary site:

    ftp://ftp.porcupine.org/mirrors/postfix-release/index.html

Releases:

    snapshot-20011114

    postfix-20010228-pl07

Thank you for your attention.

	Wietse

*** ./smtpd.c-	Sun Oct 28 19:31:14 2001
--- ./smtpd.c	Wed Nov 14 22:21:46 2001
***************
*** 1060,1065 ****
--- 1060,1077 ----
      state->where = SMTPD_AFTER_DOT;
  
      /*
+      * Notify the postmaster if there were errors. This usually indicates a
+      * client configuration problem, or that someone is trying nasty things.
+      * Either is significant enough to bother the postmaster. XXX Can't
+      * report problems when running in stand-alone mode: postmaster notices
+      * require availability of the cleanup service.
+      */
+     if (state->history != 0 && state->client != VSTREAM_IN
+ 	&& (state->error_mask & state->notify_mask))
+ 	smtpd_chat_notify(state);
+     smtpd_chat_reset(state);
+ 
+     /*
       * Cleanup. The client may send another MAIL command.
       */
      mail_reset(state);

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC