6.8 - VU#727230

Executive Summary

Summary
Title	Postfix SMTP server Cyrus SASL support contains a memory corruption vulnerability

Informations
Name	VU#727230	First vendor Publication	2011-05-11
Vendor	VU-CERT	Last vendor Modification	2011-05-17
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score	6.8	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#727230

Postfix SMTP server Cyrus SASL support contains a memory corruption vulnerability

Overview

The Postfix SMTP server has a memory corruption error when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN.

I. Description

The Postfix Advisory for CVE-2011-1720 states:

"The Postfix SMTP server fails to create a new Cyrus SASL server handle after authentication failure. This causes memory corruption when, for example, a client requests CRAM-MD5 authentication, fails to authenticate, and then invokes some other authentication mechanism except PLAIN (or ANONYMOUS if available). The likely outcome is that the Postfix SMTP server process crashes with a segmentation violation error (SIGSEGV, a.k.a. signal 11)."
...
"The memory corruption is known to result in a program crash (SIGSEV). Remote code execution cannot be excluded. Such code would execute as the unprivileged "postfix" user. This user has no control over processes that run with non-postfix privileges including Postfix processes running as root; the impact may be reduced with configurations that enable the Postfix chroot feature or that use platform-dependent privilege-reducing features."

II. Impact

A remote attacker can cause a denial of service or possibly execute arbitrary code.

III. Solution

Apply an Update

This vulnerability has been fixed in Postfix stable versions 2.5.13, 2.6.10, 2.7.4, 2.8.3. Patches for Postfix version 1.1 and later can be obtained from the Postfix Download Site.

Workarounds

The following workaround is provided in the Postfix Advisory for CVE-2011-1720:

Disable Cyrus SASL authentication mechanisms for the Postfix SMTP server other than PLAIN and LOGIN. The mechanisms are specified in a Cyrus SASL smtpd.conf configuration file. This file may be found in /etc/postfix/sasl/, /var/lib/sasl2/, /etc/sasl2/, /usr/lib/sasl2/ or /usr/local/lib/sasl2/.

In this file, update the "mech_list:" entry and remove any methods other than PLAIN and LOGIN. For example, this configuration is not affected:

mech_list: PLAIN LOGIN

Execute the command "postfix reload" to make the change effective, then verify that the "port 25" and "port 587" services no longer announce other SASL mechanisms, as shown in the previous section.

Vendor Information

Vendor	Status	Date Notified	Date Updated
Apple Inc.	Unknown	2011-04-20	2011-04-20
CentOS	Unknown	2011-04-22	2011-04-22
Debian GNU/Linux	Affected	2011-04-20	2011-05-11
FreeBSD Project	Unknown	2011-04-20	2011-04-20
Gentoo Linux	Unknown	2011-04-20	2011-04-20
Mandriva S. A.	Affected	2011-04-20	2011-05-17
NetBSD	Unknown	2011-04-20	2011-04-20
OpenBSD	Unknown	2011-04-20	2011-04-20
Oracle Corporation	Unknown	2011-04-20	2011-04-20
Red Hat, Inc.	Affected	2011-04-20	2011-05-11
Slackware Linux Inc.	Unknown	2011-04-20	2011-04-20
SUSE Linux	Affected	2011-04-20	2011-05-11
Symantec	Unknown	2011-04-20	2011-04-20
Ubuntu	Affected	2011-04-20	2011-05-11

References

http://www.postfix.org/announcements/postfix-2.8.3.html
http://www.postfix.org/CVE-2011-1720.html
http://www.postfix.org/download.html

Credit

Thanks to Thomas Jarosch of Intra2net AG for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:	2011-05-09
Date First Published:	2011-05-11
Date Last Updated:	2011-05-17
CERT Advisory:
CVE-ID(s):	CVE-2011-1720
NVD-ID(s):	CVE-2011-1720
US-CERT Technical Alerts:
Severity Metric:	1.87
Document Revision:	16

Original Source

Url : http://www.kb.cert.org/vuls/id/727230

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13019

Oval ID:	oval:org.mitre.oval:def:13019
Title:	DSA-2233-1 postfix -- several
Description:	Several vulnerabilities were discovered in Postfix, a mail transfer agent. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2939 The postinst script grants the postfix user write access to /var/spool/postfix/pid, which might allow local users to conduct symlink attacks that overwrite arbitrary files. CVE-2011-0411 The STARTTLS implementation does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place. CVE-2011-1720 A heap-based read-only buffer overflow allows malicious clients to crash the smtpd server process using a crafted SASL authentication request.
Family:	unix	Class:	patch
Reference(s):	DSA-2233-1 CVE-2009-2939 CVE-2011-0411 CVE-2011-1720	Version:	5
Platform(s):	Debian GNU/Linux 5.0 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	postfix
Definition Synopsis:
Release section Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND postfix DPKG is earlier than 2.5.5-1.1+lenny1 OR Release section Debian 6.0 is installed AND GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND Installed architecture is all AND postfix DPKG is earlier than 2.7.1-1+squeeze1

Definition Id: oval:org.mitre.oval:def:13968

Oval ID:	oval:org.mitre.oval:def:13968
Title:	USN-1131-1 -- postfix vulnerability
Description:	postfix: High-performance mail transport agent An attacker could send crafted input to Postfix and cause it to crash or run programs.
Family:	unix	Class:	patch
Reference(s):	USN-1131-1 CVE-2011-1720	Version:	5
Platform(s):	Ubuntu 8.04 Ubuntu 10.10 Ubuntu 6.06 Ubuntu 10.04	Product(s):	postfix
Definition Synopsis:
Release section Ubuntu 8.04 is installed AND Installed architecture is all AND postfix DPKG is earlier than 2.5.1-2ubuntu1.4 OR Release section Ubuntu 10.10 is installed AND Installed architecture is all AND postfix DPKG is earlier than 2.7.1-1ubuntu0.2 OR Release section Ubuntu 6.06 is installed AND Installed architecture is all AND postfix DPKG is earlier than 2.2.10-1ubuntu0.4 OR Release section Ubuntu 10.04 is installed AND Installed architecture is all AND postfix DPKG is earlier than 2.7.0-1ubuntu0.2

Definition Id: oval:org.mitre.oval:def:21899

Oval ID:	oval:org.mitre.oval:def:21899
Title:	RHSA-2011:0843: postfix security update (Moderate)
Description:	The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH command with one method followed by an AUTH command with a different method.
Family:	unix	Class:	patch
Reference(s):	RHSA-2011:0843-01 CVE-2011-1720 CESA-2011:0843-CentOS 5	Version:	6
Platform(s):	Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 CentOS Linux 5	Product(s):	postfix
Definition Synopsis:
Red Hat Enterprise Linux 5 and CentOS Linux 5 release section Operation system section The operating system installed on the system is Red Hat Enterprise Linux 5 AND The operating system installed on the system is CentOS Linux 5.x Packages match section postfix is earlier than 2:2.3.3-2.3.el5_6 AND postfix-pflogsumm is earlier than 2:2.3.3-2.3.el5_6 AND Red Hat Enterprise Linux 6 release section The operating system installed on the system is Red Hat Enterprise Linux 6 Packages match section postfix is earlier than 2:2.6.6-2.2.el6_1 AND postfix-debuginfo is earlier than 2:2.6.6-2.2.el6_1 AND postfix-perl-scripts is earlier than 2:2.6.6-2.2.el6_1

Definition Id: oval:org.mitre.oval:def:23665

Oval ID:	oval:org.mitre.oval:def:23665
Title:	ELSA-2011:0843: postfix security update (Moderate)
Description:	The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH command with one method followed by an AUTH command with a different method.
Family:	unix	Class:	patch
Reference(s):	ELSA-2011:0843-01 CVE-2011-1720	Version:	6
Platform(s):	Oracle Linux 6	Product(s):	postfix
Definition Synopsis:
Oracle Linux 6.x rpm test postfix-perl-scripts is earlier than 2:2.6.6-2.2.el6_1 AND postfix is earlier than 2:2.6.6-2.2.el6_1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Postfix cpe:2.3:a:postfix:postfix:2.8.2:::::::* cpe:2.3:a:postfix:postfix:2.8.1:::::::* cpe:2.3:a:postfix:postfix:2.8.0:::::::* cpe:2.3:a:postfix:postfix:2.7.3:::::::* cpe:2.3:a:postfix:postfix:2.7.2:::::::* cpe:2.3:a:postfix:postfix:2.7.1:::::::* cpe:2.3:a:postfix:postfix:2.7.0:::::::* cpe:2.3:a:postfix:postfix:2.6.9:::::::* cpe:2.3:a:postfix:postfix:2.6.8:::::::* cpe:2.3:a:postfix:postfix:2.6.7:::::::* cpe:2.3:a:postfix:postfix:2.6.6:::::::* cpe:2.3:a:postfix:postfix:2.6.5:::::::* cpe:2.3:a:postfix:postfix:2.6.4:::::::* cpe:2.3:a:postfix:postfix:2.6.3:::::::* cpe:2.3:a:postfix:postfix:2.6.2:::::::* cpe:2.3:a:postfix:postfix:2.6.1:::::::* cpe:2.3:a:postfix:postfix:2.6.0:::::::* cpe:2.3:a:postfix:postfix:2.6:::::::* cpe:2.3:a:postfix:postfix:2.5.9:::::::* cpe:2.3:a:postfix:postfix:2.5.8:::::::* cpe:2.3:a:postfix:postfix:2.5.7:::::::* cpe:2.3:a:postfix:postfix:2.5.6:::::::* cpe:2.3:a:postfix:postfix:2.5.5:::::::* cpe:2.3:a:postfix:postfix:2.5.4:::::::* cpe:2.3:a:postfix:postfix:2.5.3:::::::* cpe:2.3:a:postfix:postfix:2.5.2:::::::* cpe:2.3:a:postfix:postfix:2.5.12:::::::* cpe:2.3:a:postfix:postfix:2.5.11:::::::* cpe:2.3:a:postfix:postfix:2.5.10:::::::* cpe:2.3:a:postfix:postfix:2.5.1:::::::* cpe:2.3:a:postfix:postfix:2.5.0:::::::* cpe:2.3:a:postfix:postfix:2.4.9:::::::* cpe:2.3:a:postfix:postfix:2.4.8:::::::* cpe:2.3:a:postfix:postfix:2.4.7:::::::* cpe:2.3:a:postfix:postfix:2.4.6:::::::* cpe:2.3:a:postfix:postfix:2.4.5:::::::* cpe:2.3:a:postfix:postfix:2.4.4:::::::* cpe:2.3:a:postfix:postfix:2.4.3:::::::* cpe:2.3:a:postfix:postfix:2.4.2:::::::* cpe:2.3:a:postfix:postfix:2.4.15:::::::* cpe:2.3:a:postfix:postfix:2.4.14:::::::* cpe:2.3:a:postfix:postfix:2.4.13:::::::* cpe:2.3:a:postfix:postfix:2.4.12:::::::* cpe:2.3:a:postfix:postfix:2.4.11:::::::* cpe:2.3:a:postfix:postfix:2.4.10:::::::* cpe:2.3:a:postfix:postfix:2.4.1:::::::* cpe:2.3:a:postfix:postfix:2.4.0:::::::* cpe:2.3:a:postfix:postfix:2.4:::::::* cpe:2.3:a:postfix:postfix:2.3.9:::::::* cpe:2.3:a:postfix:postfix:2.3.8:::::::* cpe:2.3:a:postfix:postfix:2.3.7:::::::* cpe:2.3:a:postfix:postfix:2.3.6:::::::* cpe:2.3:a:postfix:postfix:2.3.5:::::::* cpe:2.3:a:postfix:postfix:2.3.4:::::::* cpe:2.3:a:postfix:postfix:2.3.3:::::::* cpe:2.3:a:postfix:postfix:2.3.2:::::::* cpe:2.3:a:postfix:postfix:2.3.19:::::::* cpe:2.3:a:postfix:postfix:2.3.18:::::::* cpe:2.3:a:postfix:postfix:2.3.17:::::::* cpe:2.3:a:postfix:postfix:2.3.16:::::::* cpe:2.3:a:postfix:postfix:2.3.15:::::::* cpe:2.3:a:postfix:postfix:2.3.14:::::::* cpe:2.3:a:postfix:postfix:2.3.13:::::::* cpe:2.3:a:postfix:postfix:2.3.12:::::::* cpe:2.3:a:postfix:postfix:2.3.11:::::::* cpe:2.3:a:postfix:postfix:2.3.10:::::::* cpe:2.3:a:postfix:postfix:2.3.1:::::::* cpe:2.3:a:postfix:postfix:2.3.0:::::::* cpe:2.3:a:postfix:postfix:2.3:::::::* cpe:2.3:a:postfix:postfix:2.2.9:::::::* cpe:2.3:a:postfix:postfix:2.2.8:::::::* cpe:2.3:a:postfix:postfix:2.2.7:::::::* cpe:2.3:a:postfix:postfix:2.2.6:::::::* cpe:2.3:a:postfix:postfix:2.2.5:::::::* cpe:2.3:a:postfix:postfix:2.2.4:::::::* cpe:2.3:a:postfix:postfix:2.2.3:::::::* cpe:2.3:a:postfix:postfix:2.2.2:::::::* cpe:2.3:a:postfix:postfix:2.2.12:::::::* cpe:2.3:a:postfix:postfix:2.2.11:::::::* cpe:2.3:a:postfix:postfix:2.2.10:::::::* cpe:2.3:a:postfix:postfix:2.2.1:::::::* cpe:2.3:a:postfix:postfix:2.2.0:::::::* cpe:2.3:a:postfix:postfix:2.1.6:::::::* cpe:2.3:a:postfix:postfix:2.1.5:::::::* cpe:2.3:a:postfix:postfix:2.1.4:::::::* cpe:2.3:a:postfix:postfix:2.1.3:::::::* cpe:2.3:a:postfix:postfix:2.1.2:::::::* cpe:2.3:a:postfix:postfix:2.1.1:::::::* cpe:2.3:a:postfix:postfix:2.1.0:::::::* cpe:2.3:a:postfix:postfix:2.0.9:::::::* cpe:2.3:a:postfix:postfix:2.0.8:::::::* cpe:2.3:a:postfix:postfix:2.0.7:::::::* cpe:2.3:a:postfix:postfix:2.0.6:::::::* cpe:2.3:a:postfix:postfix:2.0.5:::::::* cpe:2.3:a:postfix:postfix:2.0.4:::::::* cpe:2.3:a:postfix:postfix:2.0.3:::::::* cpe:2.3:a:postfix:postfix:2.0.2:::::::* cpe:2.3:a:postfix:postfix:2.0.19:::::::* cpe:2.3:a:postfix:postfix:2.0.18:::::::* cpe:2.3:a:postfix:postfix:2.0.17:::::::* cpe:2.3:a:postfix:postfix:2.0.16:::::::* cpe:2.3:a:postfix:postfix:2.0.15:::::::* cpe:2.3:a:postfix:postfix:2.0.14:::::::* cpe:2.3:a:postfix:postfix:2.0.13:::::::* cpe:2.3:a:postfix:postfix:2.0.12:::::::* cpe:2.3:a:postfix:postfix:2.0.11:::::::* cpe:2.3:a:postfix:postfix:2.0.10:::::::* cpe:2.3:a:postfix:postfix:2.0.1:::::::* cpe:2.3:a:postfix:postfix:2.0.0:::::::*	109

OpenVAS Exploits

Date	Description
2012-08-10	Name : Gentoo Security Advisory GLSA 201206-33 (Postfix) File : nvt/glsa_201206_33.nasl
2012-07-30	Name : CentOS Update for postfix CESA-2011:0843 centos4 x86_64 File : nvt/gb_CESA-2011_0843_postfix_centos4_x86_64.nasl
2012-07-30	Name : CentOS Update for postfix CESA-2011:0843 centos5 x86_64 File : nvt/gb_CESA-2011_0843_postfix_centos5_x86_64.nasl
2011-08-09	Name : CentOS Update for postfix CESA-2011:0843 centos5 i386 File : nvt/gb_CESA-2011_0843_postfix_centos5_i386.nasl
2011-08-03	Name : Debian Security Advisory DSA 2233-1 (postfix) File : nvt/deb_2233_1.nasl
2011-08-03	Name : FreeBSD Ports: postfix, postfix-base File : nvt/freebsd_postfix0.nasl
2011-06-06	Name : CentOS Update for postfix CESA-2011:0843 centos4 i386 File : nvt/gb_CESA-2011_0843_postfix_centos4_i386.nasl
2011-06-06	Name : RedHat Update for postfix RHSA-2011:0843-01 File : nvt/gb_RHSA-2011_0843-01_postfix.nasl
2011-05-26	Name : Postfix SMTP Server Cyrus SASL Support Memory Corruption Vulnerability File : nvt/secpod_postfix_cyrus_sasl_memory_corruption_vuln.nasl
2011-05-23	Name : Fedora Update for postfix FEDORA-2011-6771 File : nvt/gb_fedora_2011_6771_postfix_fc14.nasl
2011-05-23	Name : Fedora Update for postfix FEDORA-2011-6777 File : nvt/gb_fedora_2011_6777_postfix_fc13.nasl
2011-05-23	Name : Mandriva Update for postfix MDVSA-2011:090 (postfix) File : nvt/gb_mandriva_MDVSA_2011_090.nasl
2011-05-17	Name : Ubuntu Update for postfix USN-1131-1 File : nvt/gb_ubuntu_USN_1131_1.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
72259	Postfix SMTP Cyrus SASL Authentication Context Data Reuse Memory Corruption A memory corruption flaw exists in Postfix. The Cyrus SASL library fails to sanitize user-supplied input when authentication types other than PLAIN and LOGIN are used resulting in memory corruption. With a specially crafted request, a remote attacker can potentially execute arbitrary code.

Snort® IPS/IDS

Date	Description
2014-01-10	Postfix SMTP Server SASL AUTH Handle Reuse Memory Corruption RuleID : 19708 - Revision : 12 - Type : SERVER-MAIL

Nessus® Vulnerability Scanner

Date	Description
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_4_postfix-110510.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_postfix-110510.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0843.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110531_postfix_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-06-26	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-33.nasl - Type : ACT_GATHER_INFO
2011-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postfix-7502.nasl - Type : ACT_GATHER_INFO
2011-06-13	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1131-1.nasl - Type : ACT_GATHER_INFO
2011-06-02	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0843.nasl - Type : ACT_GATHER_INFO
2011-06-01	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0843.nasl - Type : ACT_GATHER_INFO
2011-05-19	Name : The remote mail server is affected by a memory corruption vulnerability. File : postfix_memory_corruption_exploit.nasl - Type : ACT_ATTACK
2011-05-19	Name : The remote mail server is potentially affected by a memory corruption vulnera... File : postfix_memory_corruption.nasl - Type : ACT_GATHER_INFO
2011-05-19	Name : The remote Fedora host is missing a security update. File : fedora_2011-6784.nasl - Type : ACT_GATHER_INFO
2011-05-18	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-090.nasl - Type : ACT_GATHER_INFO
2011-05-18	Name : The remote Fedora host is missing a security update. File : fedora_2011-6777.nasl - Type : ACT_GATHER_INFO
2011-05-18	Name : The remote Fedora host is missing a security update. File : fedora_2011-6771.nasl - Type : ACT_GATHER_INFO
2011-05-12	Name : The remote openSUSE host is missing a security update. File : suse_11_2_postfix-110510.nasl - Type : ACT_GATHER_INFO
2011-05-11	Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12707.nasl - Type : ACT_GATHER_INFO
2011-05-11	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2233.nasl - Type : ACT_GATHER_INFO
2011-05-10	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_3eb2c100738b11e089f4001e90d46635.nasl - Type : ACT_GATHER_INFO
2011-05-10	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_postfix-110504.nasl - Type : ACT_GATHER_INFO
2011-05-10	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postfix-7503.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 12:08:09	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	4
CPE ID(s)	109
osvdb(s)	1
Openvas Exploit(s)	13
Snort® Rule(s)	1
Nessus® Exploit(s)	21

	Related
6.8	CVE-2011-1720
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)