SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(OpenBSD Issues Fix) Sendmail DNS Map Initialization Flaw May Let Remote Users Crash the System
SecurityTracker Alert ID:  1007573
SecurityTracker URL:  http://securitytracker.com/id/1007573
CVE Reference:   CVE-2003-0688   (Links to External Site)
Date:  Aug 26 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.12 - 8.12.8
Description:   A vulnerability was reported in certain versions of sendmail when using DNS maps in the sendmail configuration file. A remote user may be able to cause the mail service to crash or (in theory) execute arbitrary code.

Versions 8.12.x prior to version 8.12.9 are affected, but only when using DNS maps in the 'sendmail.cf' file.

It is reported that the dns_parse_reply() function improperly initializes RESOURCE_RECORD_T data structures. If sendmail receives a DNS reply where the reply size is not the reported size of the reply packet, the dns_free_data() function in the 'sm_resolve.c' file will attempt to free random memory addresses. This may cause sendmail to crash. The report indicates that this flaw may in theory allow a remote user to execute arbitrary code, but that is not confirmed in the report.

Oleg Bulyzhin is credited with reporting this flaw.

Impact:   A remote user may be able to return a DNS reply to sendmail that will cause the mail service to crash or [potentially/theoretically] execute arbitrary code.
Solution:   The vendor reports that OpenBSD 3.2 shipped with sendmail 8.12.8 (the vulnerable version). OpenBSD 3.3 shipped with sendmail 8.12.9 which does not contain the flaw.

The vendor has released a fix in the OpenBSD 3.2-stable branch.

A patch for OpenBSD 3.2 is also available:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/016_sendmail.patch

The vendor notes that sendmail configurations that do not use the "enhdnsbl" feature are not affected. The default OpenBSD sendmail config does not use this feature, according to the vendor. The vendor advises that if you do not have a custom config that uses enhdnsbl, you do not need to apply the patch or update sendmail.

Vendor URL:  www.sendmail.org/dnsmap1.html (Links to External Site)
Cause:   Resource error, State error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  3.2

Message History:   This archive entry is a follow-up to the message listed below.
Aug 25 2003 Sendmail DNS Map Initialization Flaw May Let Remote Users Crash the System



 Source Message Contents

Subject:  Sendmail bug wrt DNS maps


There is a potential problem in the sendmail 8.12 series with respect
to DNS maps in sendmail 8.12.8 and earlier sendmail 8.12.x versions.
The bug did not exist in versions before 8.12 as the DNS map type
is new to 8.12.  The bug was fixed in 8.12.9, released March 29,
2003 but not labeled as a security fix as it wasn't believed to be
a security bug at the time.  Note that only FEATURE(`enhdnsbl')
uses a DNS map.  We do not have an assessment whether this problem
is exploitable but we want to inform you just in case you distribute
sendmail 8.12.x versions before 8.12.9.

OpenBSD 3.2 shipped with sendmail 8.12.8 and thus has the bug.
OpenBSD 3.3 shipped with sendmail 8.12.9 and does *not* have the bug.

The problem has been fixed in the OpenBSD 3.2-stable branch.
In addition, a patch is available for OpenBSD 3.2:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/016_sendmail.patch

Please note that this only affects sendmail configurations that use
the "enhdnsbl" feature.  The default OpenBSD sendmail config does
*not* use this.  Unless you have created a custom config that uses
enhdnsbl, you do not need to apply the patch or update sendmail.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC