copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


AL-2006.0048 -- [UNIX/Linux][Win] -- Sendmail fails to handle malformed multipart MIME messages

Date: 15 June 2006
References: ESB-2006.0410  ESB-2006.0412  ESB-2006.0413  ESB-2006.0414  ESB-2006.0419  ESB-2006.0828  ESB-2006.0424  ESB-2006.0547  ESB-2006.0606  ESB-2006.0828  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2006.0048 -- AUSCERT ALERT
        Sendmail fails to handle malformed multipart MIME messages
                               15 June 2006


        AusCERT Alert Summary

Product:              Sendmail 8.13.6 and prior
Publisher:            US-CERT
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact:               Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2006-1173

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

US-CERT Vulnerability Note VU#146718
Sendmail fails to handle malformed multipart MIME messages


	Sendmail does not properly handle malformed multipart MIME messages.
	This vulnerability may allow a remote, unauthenticated attacker to
	cause a denial-of-service condition.

I. Description

	Sendmail is a widely used mail transfer agent (MTA).

	Mail Transfer Agents (MTA)

	MTAs are responsible for sending an receiving email messages over the
	internet. They are also referred to as mail servers or SMTP servers.

	The Problem

	Sendmail fails to properly handle malformed mulitpart MIME messages.
	This vulnerability may be triggered by sending a specially crafted
	message to a vulnerable Sendmail MTA.

II. Impact

	This vulnerability will not cause the Sendmail server process to
	terminate. However, it may cause the Sendmail to consume a large
	amount of system resources. Specifically, if a system writes uniquely
	named core dump files, this vulnerability may cause available disk
	space to be filled with core dumps leading to a disruption of system
	operation resulting in a denial-of-service condition.

	Additionally, this vulnerability may cause queue runs to abort
	preventing the processing and delivery of queued messages.

III. Solution

	Upgrade Sendmail

	This issue is corrected in Sendmail version 8.13.7.

	The following workarounds were provided by Sendmail:

	Limit message size

	Limiting the maximum message size accepted by your server (via the
	sendmail MaxMessageSize option) will mitigate this vulnerability.

	Remove stack size limit

	If your operating system limits stack size, remove that limit. This
	will make the attack more difficult to accomplish, as it will require
	a very large message. Also, by limiting the maximum message size
	accepted by your server (via the sendmail MaxMessageSize option), you
	can eliminate the attack completely.

	Configure your MTA to avoid the negative impacts listed above:

		* Disable core dumps.
		* Enable the ForkEachJob option at the cost of lower queue
		  run performance and potentially a high number of processes.
		* Set QueueSortOrder to random, which will randomize the order
		  jobs are processed. Note that with random queue sorting, the
		  bad message will still be processed and the queue run aborted
		  every time, but at a different, random spot.

Systems Affected

	Vendor	Status	Date Updated
	3com, Inc.	Unknown	9-May-2006
	Alcatel	Unknown	9-May-2006
	Apple Computer, Inc.	Unknown	9-May-2006
	AT&T	Unknown	9-May-2006
	Avaya, Inc.	Unknown	9-May-2006
	Avici Systems, Inc.	Unknown	9-May-2006
	Borderware Technologies	Not Vulnerable	25-May-2006
	B.U.G., Inc	Not Vulnerable	13-Jun-2006
	Century Systems Inc.	Not Vulnerable	13-Jun-2006
	Charlotte's Web Networks	Unknown	9-May-2006
	Check Point Software Technologies	Unknown	9-May-2006
	Chiaro Networks, Inc.	Unknown	9-May-2006
	Cisco Systems, Inc.	Unknown	9-May-2006
	Computer Associates	Unknown	9-May-2006
	Conectiva Inc.	Unknown	9-May-2006
	Cray Inc.	Unknown	9-May-2006
	D-Link Systems, Inc.	Unknown	9-May-2006
	Data Connection, Ltd.	Unknown	9-May-2006
	Debian GNU/Linux	Unknown	9-May-2006
	DragonFly BSD Project	Unknown	9-May-2006
	EMC, Inc. (formerly Data General Corporation)	Unknown	9-May-2006
	Engarde Secure Linux	Unknown	9-May-2006
	Ericsson	Unknown	9-May-2006
	eSoft, Inc.	Unknown	9-May-2006
	Extreme Networks	Unknown	9-May-2006
	F5 Networks, Inc.	Not Vulnerable	15-May-2006
	Fedora Project	Unknown	9-May-2006
	Force10 Networks, Inc.	Unknown	9-May-2006
	Fortinet, Inc.	Unknown	9-May-2006
	Foundry Networks, Inc.	Not Vulnerable	14-Jun-2006
	FreeBSD, Inc.	Vulnerable	14-Jun-2006
	Fujitsu	Unknown	9-May-2006
	Fujitsu	Not Vulnerable	13-Jun-2006
	Gentoo Linux	Unknown	9-May-2006
	Global Technology Associates	Unknown	9-May-2006
	GNU netfilter	Unknown	9-May-2006
	Hewlett-Packard Company	Unknown	9-May-2006
	Hitachi	Not Vulnerable	14-Jun-2006
	Hyperchip	Unknown	9-May-2006
	IBM Corporation	Vulnerable	14-Jun-2006
	IBM Corporation (zseries)	Unknown	9-May-2006
	IBM eServer	Unknown	10-May-2006
	Immunix Communications, Inc.	Unknown	9-May-2006
	Ingrian Networks, Inc.	Unknown	9-May-2006
	Intel Corporation	Unknown	9-May-2006
	Internet Initiative Japan	Not Vulnerable	13-Jun-2006
	Internet Security Systems, Inc.	Unknown	9-May-2006
	Intoto	Not Vulnerable	10-May-2006
	IP Filter	Unknown	9-May-2006
	Juniper Networks, Inc.	Unknown	9-May-2006
	Justsystem Corporation	Not Vulnerable	13-Jun-2006
	Linksys (A division of Cisco Systems)	Unknown	9-May-2006
	Lotus Software	Not Vulnerable	10-May-2006
	Lucent Technologies	Unknown	9-May-2006
	Luminous Networks	Unknown	9-May-2006
	Mandriva, Inc.	Unknown	9-May-2006
	Microsoft Corporation	Unknown	9-May-2006
	Mirapoint, Inc.	Unknown	9-May-2006
	MontaVista Software, Inc.	Unknown	9-May-2006
	Multinet (owned Process Software Corporation)	Unknown	9-May-2006
	Multitech, Inc.	Unknown	9-May-2006
	NEC Corporation	Vulnerable	14-Jun-2006
	NetBSD	Unknown	9-May-2006
	Network Appliance, Inc.	Not Vulnerable	12-May-2006
	NextHop Technologies, Inc.	Unknown	9-May-2006
	Nokia	Unknown	9-May-2006
	Nortel Networks, Inc.	Unknown	9-May-2006
	Novell, Inc.	Unknown	9-May-2006
	OpenBSD	Unknown	7-Jun-2006
	Openwall GNU/*/Linux	Not Vulnerable	10-May-2006
	Oracle Corporation	Not Vulnerable	16-May-2006
	QNX, Software Systems, Inc.	Unknown	9-May-2006
	Red Hat, Inc.	Vulnerable	14-Jun-2006
	Redback Networks, Inc.	Not Vulnerable	9-Jun-2006
	Riverstone Networks, Inc.	Unknown	9-May-2006
	Secure Computing Network Security Division	Unknown	9-May-2006
	Secureworx, Inc.	Unknown	31-May-2006
	Sendmail Consortium	Vulnerable	14-Jun-2006
	Sendmail, Inc.	Vulnerable	14-Jun-2006
	Silicon Graphics, Inc.	Unknown	9-May-2006
	Slackware Linux Inc.	Unknown	9-May-2006
	Sony Corporation	Unknown	9-May-2006
	Stonesoft	Unknown	12-May-2006
	Sun Microsystems, Inc.	Vulnerable	14-Jun-2006
	SUSE Linux	Unknown	9-May-2006
	Symantec, Inc.	Unknown	9-May-2006
	Syntegra	Not Vulnerable	14-Jun-2006
	The SCO Group	Unknown	14-Jun-2006
	The SCO Group (SCO Unix)	Unknown	27-May-2006
	Trustix Secure Linux	Unknown	9-May-2006
	Turbolinux	Unknown	9-May-2006
	Ubuntu	Unknown	10-May-2006
	Unisys	Unknown	9-May-2006
	Watchguard Technologies, Inc.	Unknown	9-May-2006
	Wind River Systems, Inc.	Unknown	9-May-2006
	Yamaha Corporation	Not Vulnerable	13-Jun-2006
	Yokogawa Electric Corporation	Not Vulnerable	13-Jun-2006
	ZyXEL	Unknown	9-May-2006



	This vulnerability was reported by Sendmail.

	This document was written by Jeff Gennari based on information 
	from Sendmail.
	Other Information
	Date Public	06/14/2006
	Date First Published	06/14/2006 12:04:19 PM
	Date Last Updated	06/14/2006
	CERT Advisory	 
	CVE Name	CVE-2006-1173
	Metric	13.51
	Document Revision	28

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.