Fwd: [NATIONAL-ALERTS] (AUSCERT AL-2006.0048) [UNIX/Linux][Win] - Sendmail fails to handle malformed multipart MIME messages
Sourced from AusCERT.
andrew
---------- Forwarded message ----------
From: auscert@auscert.org.au <auscert@auscert.org.au>
Date: Wed, 14 Jun 2006 23:49:01 UT
Subject: [NATIONAL-ALERTS] (AUSCERT AL-2006.0048) [UNIX/Linux][Win] -
Sendmail fails to handle malformed multipart MIME messages
To: national-alerts@auscert.org.au
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2006.0048 -- AUSCERT ALERT
[UNIX/Linux][Win]
Sendmail fails to handle malformed multipart MIME messages
15 June 2006
===========================================================================
AusCERT Alert Summary
---------------------
Product: Sendmail 8.13.6 and prior
Publisher: US-CERT
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2006-1173
Original Bulletin: http://www.kb.cert.org/vuls/id/146718
http://www.sendmail.org/releases/8.13.7.html
- --------------------------BEGIN INCLUDED TEXT--------------------
US-CERT Vulnerability Note VU#146718
Sendmail fails to handle malformed multipart MIME messages
Overview
Sendmail does not properly handle malformed multipart MIME messages.
This vulnerability may allow a remote, unauthenticated attacker to
cause a denial-of-service condition.
I. Description
Sendmail
Sendmail is a widely used mail transfer agent (MTA).
Mail Transfer Agents (MTA)
MTAs are responsible for sending an receiving email messages over the
internet. They are also referred to as mail servers or SMTP servers.
The Problem
Sendmail fails to properly handle malformed mulitpart MIME messages.
This vulnerability may be triggered by sending a specially crafted
message to a vulnerable Sendmail MTA.
II. Impact
This vulnerability will not cause the Sendmail server process to
terminate. However, it may cause the Sendmail to consume a large
amount of system resources. Specifically, if a system writes uniquely
named core dump files, this vulnerability may cause available disk
space to be filled with core dumps leading to a disruption of system
operation resulting in a denial-of-service condition.
Additionally, this vulnerability may cause queue runs to abort
preventing the processing and delivery of queued messages.
III. Solution
Upgrade Sendmail
This issue is corrected in Sendmail version 8.13.7.
The following workarounds were provided by Sendmail:
Limit message size
Limiting the maximum message size accepted by your server (via the
sendmail MaxMessageSize option) will mitigate this vulnerability.
Remove stack size limit
If your operating system limits stack size, remove that limit. This
will make the attack more difficult to accomplish, as it will require
a very large message. Also, by limiting the maximum message size
accepted by your server (via the sendmail MaxMessageSize option), you
can eliminate the attack completely.
Configure your MTA to avoid the negative impacts listed above:
* Disable core dumps.
* Enable the ForkEachJob option at the cost of lower queue
run performance and potentially a high number of processes.
* Set QueueSortOrder to random, which will randomize the order
jobs are processed. Note that with random queue sorting, the
bad message will still be processed and the queue run aborted
every time, but at a different, random spot.
Systems Affected
Vendor Status Date Updated
3com, Inc. Unknown 9-May-2006
Alcatel Unknown 9-May-2006
Apple Computer, Inc. Unknown 9-May-2006
AT&T Unknown 9-May-2006
Avaya, Inc. Unknown 9-May-2006
Avici Systems, Inc. Unknown 9-May-2006
Borderware Technologies Not Vulnerable 25-May-2006
B.U.G., Inc Not Vulnerable 13-Jun-2006
Century Systems Inc. Not Vulnerable 13-Jun-2006
Charlotte's Web Networks Unknown 9-May-2006
Check Point Software Technologies Unknown 9-May-2006
Chiaro Networks, Inc. Unknown 9-May-2006
Cisco Systems, Inc. Unknown 9-May-2006
Computer Associates Unknown 9-May-2006
Conectiva Inc. Unknown 9-May-2006
Cray Inc. Unknown 9-May-2006
D-Link Systems, Inc. Unknown 9-May-2006
Data Connection, Ltd. Unknown 9-May-2006
Debian GNU/Linux Unknown 9-May-2006
DragonFly BSD Project Unknown 9-May-2006
EMC, Inc. (formerly Data General Corporation) Unknown 9-May-2006
Engarde Secure Linux Unknown 9-May-2006
Ericsson Unknown 9-May-2006
eSoft, Inc. Unknown 9-May-2006
Extreme Networks Unknown 9-May-2006
F5 Networks, Inc. Not Vulnerable 15-May-2006
Fedora Project Unknown 9-May-2006
Force10 Networks, Inc. Unknown 9-May-2006
Fortinet, Inc. Unknown 9-May-2006
Foundry Networks, Inc. Not Vulnerable 14-Jun-2006
FreeBSD, Inc. Vulnerable 14-Jun-2006
Fujitsu Unknown 9-May-2006
Fujitsu Not Vulnerable 13-Jun-2006
Gentoo Linux Unknown 9-May-2006
Global Technology Associates Unknown 9-May-2006
GNU netfilter Unknown 9-May-2006
Hewlett-Packard Company Unknown 9-May-2006
Hitachi Not Vulnerable 14-Jun-2006
Hyperchip Unknown 9-May-2006
IBM Corporation Vulnerable 14-Jun-2006
IBM Corporation (zseries) Unknown 9-May-2006
IBM eServer Unknown 10-May-2006
Immunix Communications, Inc. Unknown 9-May-2006
Ingrian Networks, Inc. Unknown 9-May-2006
Intel Corporation Unknown 9-May-2006
Internet Initiative Japan Not Vulnerable 13-Jun-2006
Internet Security Systems, Inc. Unknown 9-May-2006
Intoto Not Vulnerable 10-May-2006
IP Filter Unknown 9-May-2006
Juniper Networks, Inc. Unknown 9-May-2006
Justsystem Corporation Not Vulnerable 13-Jun-2006
Linksys (A division of Cisco Systems) Unknown 9-May-2006
Lotus Software Not Vulnerable 10-May-2006
Lucent Technologies Unknown 9-May-2006
Luminous Networks Unknown 9-May-2006
Mandriva, Inc. Unknown 9-May-2006
Microsoft Corporation Unknown 9-May-2006
Mirapoint, Inc. Unknown 9-May-2006
MontaVista Software, Inc. Unknown 9-May-2006
Multinet (owned Process Software Corporation) Unknown 9-May-2006
Multitech, Inc. Unknown 9-May-2006
NEC Corporation Vulnerable 14-Jun-2006
NetBSD Unknown 9-May-2006
Network Appliance, Inc. Not Vulnerable 12-May-2006
NextHop Technologies, Inc. Unknown 9-May-2006
Nokia Unknown 9-May-2006
Nortel Networks, Inc. Unknown 9-May-2006
Novell, Inc. Unknown 9-May-2006
OpenBSD Unknown 7-Jun-2006
Openwall GNU/*/Linux Not Vulnerable 10-May-2006
Oracle Corporation Not Vulnerable 16-May-2006
QNX, Software Systems, Inc. Unknown 9-May-2006
Red Hat, Inc. Vulnerable 14-Jun-2006
Redback Networks, Inc. Not Vulnerable 9-Jun-2006
Riverstone Networks, Inc. Unknown 9-May-2006
Secure Computing Network Security Division Unknown 9-May-2006
Secureworx, Inc. Unknown 31-May-2006
Sendmail Consortium Vulnerable 14-Jun-2006
Sendmail, Inc. Vulnerable 14-Jun-2006
Silicon Graphics, Inc. Unknown 9-May-2006
Slackware Linux Inc. Unknown 9-May-2006
Sony Corporation Unknown 9-May-2006
Stonesoft Unknown 12-May-2006
Sun Microsystems, Inc. Vulnerable 14-Jun-2006
SUSE Linux Unknown 9-May-2006
Symantec, Inc. Unknown 9-May-2006
Syntegra Not Vulnerable 14-Jun-2006
The SCO Group Unknown 14-Jun-2006
The SCO Group (SCO Unix) Unknown 27-May-2006
Trustix Secure Linux Unknown 9-May-2006
Turbolinux Unknown 9-May-2006
Ubuntu Unknown 10-May-2006
Unisys Unknown 9-May-2006
Watchguard Technologies, Inc. Unknown 9-May-2006
Wind River Systems, Inc. Unknown 9-May-2006
Yamaha Corporation Not Vulnerable 13-Jun-2006
Yokogawa Electric Corporation Not Vulnerable 13-Jun-2006
ZyXEL Unknown 9-May-2006
References
http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc
http://www.sendmail.org/releases/8.13.7.html
http://www.sendmail.org/releases/8.13.7.html#RS
http://secunia.com/advisories/20473/
Credit
This vulnerability was reported by Sendmail.
This document was written by Jeff Gennari based on information
from Sendmail.
Other Information
Date Public 06/14/2006
Date First Published 06/14/2006 12:04:19 PM
Date Last Updated 06/14/2006
CERT Advisory
CVE Name CVE-2006-1173
Metric 13.51
Document Revision 28
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRJCgOyh9+71yA2DNAQLDvgQAmAxq5426RM/7xMgzYW0CxWhycyeIUqBy
nvhfB/y2EZ4amwuiuxrkkptD8IdKntEku3VvKB8aEJNkk0KtTZ+BaU7w02CQPlO6
P4Plf6ImP11cbV5stRAtl5F9uDEtrQ4Sq4o1i32g+fFWBcE2TrgIOgRhPq7E6m13
Fw9z2NJiL8E=
=yvGF
-----END PGP SIGNATURE-----
AusCERT is the national computer emergency response team for Australia. We
monitor various sources around the globe and provide reliable and independent
information about serious computer network threats and vulnerabilities.
AusCERT, which is a not-for-profit organisation, operates a cost-recovery
service for its members and a smaller free security bulletin service to
subscribers of the National Alerts Service.
In the interests of protecting your information systems and keeping up to date
with relevant information to protect your information systems, you should be
aware that not all security bulletins published or distributed by AusCERT are
included in the National Alert Service. AusCERT may publish and distribute
bulletins to its members which contain information about serious computer
network threats and vulnerabilities that could affect your information
systems. Many of these security bulletins are publicly accessible from our web
site.
AusCERT maintains the mailing list for access to National Alerts Service
security bulletins. If you are subscribed to the National Alerts Service and
wish to cancel your subscription to this service, please follow the
instructions at:
http://www.auscert.org.au/msubmit.html?it=3058
Previous security bulletins published or distributed as part of the National
Alerts Service can be retrieved from:
http://national.auscert.org.au/render.html?cid=2998
Previous security bulletins published or distributed by AusCERT can be
retrieved from:
http://www.auscert.org.au/render.html?cid=1
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://national.auscert.org.au/render.html?it=3192
--
Andrew Donnellan
http://andrewdonnellan.com
http://ajdlinux.blogspot.com
Jabber - ajdlinux@jabber.org.au
GPG - hkp://subkeys.pgp.net 0x5D4C0C58
-------------------------------
Member of Linux Australia - http://linux.org.au
Debian user - http://debian.org
Get free rewards - http://ezyrewards.com/?id=23484
OpenNIC user - http://www.opennic.unrated.net
Reply to: