clamav-milter Lets Remote Users Deny Service
SecurityTracker Alert ID: 1014284|
SecurityTracker URL: http://securitytracker.com/id/1014284
(Links to External Site)
Updated: Jul 18 2005|
Original Entry Date: Jun 24 2005
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 0.86; (clamav-milter 0.84 through 0.85d)|
A vulnerability was reported in ClamAV in the use of the Sendmail mail filter function. A remote user may be able to cause denial of service conditions.|
The ClamAV Sendmail plugin (clamav-milter) waits for existing sendmail connections to terminate while at the same time rejecting new connections when waiting for an application data update. A remote user can initiate a connection to sendmail prior to the clamav-milter update and can keep the connection open for a long period of time (e.g., several hours). Because of the long default timeouts in sendmail, this can cause a denial of service situation, preventing additional mail from being scanned by the mail filter. If sendmail is configured to scan all e-mail, then this may prevent additional mail from being accepted by the target system.
Other mail filters (milters) that must wait or force a quiescent state to reload data files may also be affected.
The vendor was notified on May 25, 2005.
Damian Menscher reported this vulnerability.
A remote user can prevent additional mail from being scanned by the milter.|
A remote user may be able to prevent additional mail from being accepted by the target mail service.
A fix is included in ClamAV version 0.86, available at:|
Vendor URL: clamav.net/ (Links to External Site)
Configuration error, State error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: long sendmail timeouts let attacker prevent milter quiesce|
An attacker that can predict when a milter will need to quiesce input
to allow for a reload may hold open an SMTP session for several hours.
This will lead to a DoS condition on the mailserver.
Sendmail is a popular Mail Transfer Agent (MTA), used in many large
sites that require advanced functionality. One feature is that it is
extensible through the use of the milter (Mail fILTER) interface. The
milter paradigm allows external programs to influence the SMTP session,
including rejecting messages based on content.
ClamAV is an opensource antivirus program. Unlike commercial solutions,
ClamAV takes advantage of community support to acquire virus samples,
and therefore can provide signatures for new threats very quickly. In
a typical installation, checks for database updates occur every 15
minutes, making uncaught viruses extremely rare. ClamAV comes with a
sendmail plugin, clamav-milter, that allows administrators to reject
viruses during the SMTP session.
Some milters require a periodic reload of application data. A simple
strategy is to quiesce input (by rejecting connections and waiting for
current connections to terminate). Once the connection count drops to
zero the reload can take place. Unfortunately, the long default
timeouts in sendmail allow a slow sender to keep an SMTP session open
for several hours. If the milter is rejecting new connections during
this time, the milter on the mailserver is effectively DoSed.
Furthermore, if sendmail is configured to require all messages to be
scanned by the milter, the DoS may extend to include all mail delivery.
As an example, clamav-milter versions 0.84 through 0.85d force the
number of child threads to 0 before reloading the antivirus database.
When a database update has been made available, an attacker can
initiate an SMTP session with a vulnerable server, and simply keep
the connection open as long as possible (several hours). The milter
will be unable to reload, and (depending on configuration) sendmail
may be unable to accept incoming messages. It is therefore possible
for an attacker to DoS a mailserver with a single persistent
connection. This issue was fixed in clamav-milter 0.85e, which scans
new connections with the new database, and keeps the old database
until it is finished scanning pre-existing connections.
All users of clamav-milter are encouraged to upgrade to clamav-0.86.
Those who cannot upgrade soon can mitigate the threat through one or
more of the following strategies:
- reduce the sendmail timeouts (reduces timespan of potential DoS)
- run clamav-milter in --external mode (eliminates possibility of DoS)
- run clmilter_watch after freshclam (recovers from an existing DoS)
This threat is not particular to clamav-milter. Any milter that needs
to wait for (or force) a quiescent state to reload data files is likely
to be vulnerable to a similar attack.
Sources of above-mentioned software:
- Sendmail MTA : http://www.sendmail.org/
- Clam AntiVirus: http://www.clamav.net/
- clmilter_watch: http://www.itg.uiuc.edu/itg_software/clmilter_watch/
May 25, 2005: clamav-milter author informed of the details of the attack
May 27, 2005: Vulnerability eliminated in CVS (clamav-milter 0.85e)
Jun 14, 2005: Release candidate of patched version (ClamAV 0.86rc1)
Jun 20, 2005: Official release of patched version (ClamAV 0.86)
Jun 23, 2005: Public disclosure
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <firstname.lastname@example.org> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-