Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0414 -- [NetBSD] Sendmail malformed multipart MIME messages 15 June 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sendmail Publisher: NetBSD Operating System: NetBSD Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2006-1173 Ref: AL-2006.0048 Original Bulletin: ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-017.txt.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2006-017 ================================= Topic: Sendmail malformed multipart MIME messages Version: NetBSD-current: source prior to May 30, 2006 NetBSD 3.0: affected NetBSD 2.1: affected NetBSD 2.0.*: affected NetBSD 2.0: affected pkgsrc: sendmail-8.13.6nb2 and earlier sendmail-8.12.11nb2 and earlier Severity: Denial of service Fixed: NetBSD-current: May 30, 2006 NetBSD-3-0 branch: June 14, 2006 (3.0.1 will include the fix) NetBSD-3 branch: June 14, 2006 NetBSD-2-1 branch: June 14, 2006 (2.1.1 will include the fix) NetBSD-2-0 branch: June 14, 2006 (2.0.4 will include the fix) NetBSD-2 branch: June 14, 2006 pkgsrc: sendmail-8.13.6nb3 corrects this issue sendmail-8.12.11nb3 corrects this issue Abstract ======== Sendmail is vulnerable to a denial of service condition in the handling of malformed multipart MIME messages. This may allow a remote attacker to launch a denial of service attack against the sendmail host. This vulnerability has been assigned CVE reference CVE-2006-1173. Technical Details ================= A denial of service condition is triggered when sendmail processes a malformed multipart MIME message. The message can cause the sendmail process to exhaust its available per-process stack space and abort. The sendmail server process is not impacted by the abnormal termination of the child process handling the malformed mail, and will continue to function. As such your MTA will continue processing mail. However, an attacker can still cause a number of issues by repeatedly triggering this vulnerability: - By sending multiple malformed MIME messages an attacker may be able to consume disk space with core dump files. - Any malformed MIME messages will remain in the sendmail queue and cause queue runs to abort. This may impact the delivery of other messages in the queue. Solutions and Workarounds ========================= On NetBSD 2.0 and later, sendmail by default is bound to localhost (127.0.0.0, ::1) only, and as such is not externally reachable. Only hosts on which sendmail has been configured for external mail reception are externally exploitable, although hosts running sendmail for local delivery can still be reached by local users. It is recommended that all users of affected versions update their sendmail to include the fix. The following instructions describe how to upgrade your sendmail binaries by updating your source tree and rebuilding and installing a new version of sendmail. * NetBSD-current: In response to this and previous issues, Sendmail was removed entirely from the NetBSD base system on 2006-05-30. The default MTA has been switched to Postfix. These changes will be included in NetBSD 4.0 and later releases, and will affect current users updating their systems and new snapshot installs built past this date. The decision to switch default MTA for 4.0 had already been taken after NetBSD-SA2006-010, however this most recent issue prompted the removal of sendmail prior to branching for the 4.0 release, in order to minimise the risk and maintenance burden for any future sendmail issues. Users of NetBSD-current will need to migrate their mail configurations, either to using postfix in the base system, or to a fixed sendmail (or one of several other MTAs) available via pkgsrc. The pkgsrc sendmail has more enabled and optional features than were or would ever be available in the base system sendmail, and it is likely that many sendmail sites were already using pkgsrc sendmail for this reason. As sendmail was removed from the base distribution before the fixes for this issue could be applied, it is recommended that users running NetBSD-current from before 2006-05-30 should perform a full release build and update their systems. These users should should ensure that the obsolete and vulnerable sendmail binaries are removed from their systems when updating, via the postinstall utility. For more information on how to do this, see: http://www.netbsd.org/Documentation/current/ * NetBSD 3.*: Systems running NetBSD 3.* sources dated from before 2006-06-14 should be upgraded from NetBSD 3.* sources dated 2006-06-15 or later. The following files need to be updated from the netbsd-3 or netbsd-3-0 CVS branch: gnu/dist/sendmail/sendmail/deliver.c gnu/dist/sendmail/sendmail/mime.c gnu/dist/sendmail/sendmail/sendmail.h gnu/dist/sendmail/sendmail/version.c To update from CVS, re-build, and re-install sendmail: # cd src # cvs update -d -P -r <branch_name> gnu/dist/sendmail # cd gnu/usr.sbin/sendmail # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 2.*: Systems running NetBSD 2.* sources dated from before 2006-06-14 should be upgraded from NetBSD 2.* sources dated 2006-06-15 or later. The following files need to be updated from the netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch: gnu/dist/sendmail/sendmail/deliver.c gnu/dist/sendmail/sendmail/mime.c gnu/dist/sendmail/sendmail/sendmail.h gnu/dist/sendmail/sendmail/version.c To update from CVS, re-build, and re-install sendmail: # cd src # cvs update -d -P -r <branch_name> gnu/dist/sendmail # cd gnu/usr.sbin/sendmail # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= CERT for notification and co-ordination of the issue. Sendmail Consortium for supplying the patches to address the issue. Frank Sheiness for finding the problem. Revision History ================ 2006-06-14 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-017.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2006-017.txt,v 1.6 2006/06/14 19:50:37 adrianp Exp $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (NetBSD) iQCVAwUBRJBpFD5Ru2/4N2IFAQIsNwP9EOHPpOXKmZ2B9XVRyD1cX2Qhls4M+BNN 4mgYMe8RGw0VkGGcR2J/mtxeHljIR5/Jkf5bTSVZ6pV+rsQolhGMFC0FZz/aUUjw /8iJF7dCkzcPkPl45AsDpkWRWzKpoOlkogILr2LDfQjSpzunhJ4oW7uweRxrUgiS Hp2/GOEUkh4= =dzQY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRJDC5yh9+71yA2DNAQKPZQP/ds5nRoE0ZhXdbPocOEBQ9/QVAgETnBii /ZVPZanYUBoR0EtlGkX4YBsnk17Vh6bsBBeSELO2HGwmD8m1wJcz0hQwkxwOY1eA XDkjPNRraeoancUUPdQCAafmqlTgr/E92J8lKtRBS7CgwaFc5/4KRAW+vhRH0BK3 4AuEoF5xD6I= =LE7s -----END PGP SIGNATURE-----