Executive Summary

Summary
Title Cyrus-SASL: Execution of arbitrary code
Informations
Name GLSA-200907-09 First vendor Publication 2009-07-12
Vendor Gentoo Last vendor Modification 2009-07-12
Severity (Vendor) High Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

A buffer overflow in Cyrus-SASL might allow for the execution of arbitrary code in applications or daemons that authenticate using SASL.

Background

Cyrus-SASL is an implementation of the Simple Authentication and Security Layer.

Description

James Ralston reported that in certain situations, Cyrus-SASL does not properly terminate strings which can result in buffer overflows when performing Base64 encoding.

Impact

A remote unauthenticated user might send specially crafted packets to a daemon using Cyrus-SASL, possibly resulting in the execution of arbitrary code with the privileges of the user running the daemon or a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All Cyrus-SASL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/cyrus-sasl-2.1.23"

References

[ 1 ] CVE-2009-0688 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0688

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200907-09.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200907-09.xml

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10687
 
Oval ID: oval:org.mitre.oval:def:10687
Title: Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.
Description: Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.
Family: unix Class: vulnerability
Reference(s): CVE-2009-0688
 Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13676
 
Oval ID: oval:org.mitre.oval:def:13676
Title: DSA-1807-1 cyrus-sasl2, cyrus-sasl2-heimdal -- buffer overflow
Description: James Ralston discovered that the sasl_encode64 function of cyrus-sasl2, a free library implementing the Simple Authentication and Security Layer, suffers from a missing null termination in certain situations. This causes several buffer overflows in situations where cyrus-sasl2 itself requires the string to be null terminated which can lead to denial of service or arbitrary code execution. Important notice : While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here’s a function prototype from include/saslutil.h to clarify my explanation: /* base64 encode * in -- input data * inlen -- input data length * out -- output buffer * outmax -- max size of output buffer * result: * outlen -- gets actual length of output buffer * * Returns SASL_OK on success, SASL_BUFOVER if result won't fit */ LIBSASL_API int sasl_encode64; Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the buffer into sasl_encode64 as *out. As long as this code does not anticipate that the buffer is NUL-terminated the code will work and it will not be vulnerable. Once this patch is applied, that same code will break because sasl_encode64 will begin to return SASL_BUFOVER. For the oldstable distribution, this problem will be fixed soon. For the stable distribution, this problem has been fixed in version 2.1.22.dfsg1-23+lenny1 of cyrus-sasl2 and cyrus-sasl2-heimdal. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 2.1.23.dfsg1-1 of cyrus-sasl2 and cyrus-sasl2-heimdal. We recommend that you upgrade your cyrus-sasl2/cyrus-sasl2-heimdal packages.
Family: unix Class: patch
Reference(s): DSA-1807-1
CVE-2009-0688
 Version: 5
Platform(s): Debian GNU/Linux 5.0
 Product(s): cyrus-sasl2
cyrus-sasl2-heimdal
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13846
 
Oval ID: oval:org.mitre.oval:def:13846
Title: USN-790-1 -- cyrus-sasl2 vulnerability
Description: James Ralston discovered that the Cyrus SASL base64 encoding function could be used unsafely. If a remote attacker sent a specially crafted request to a service that used SASL, it could lead to a loss of privacy, or crash the application, resulting in a denial of service.
Family: unix Class: patch
Reference(s): USN-790-1
CVE-2009-0688
 Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 9.04
Ubuntu 6.06
Ubuntu 8.10
 Product(s): cyrus-sasl2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22796
 
Oval ID: oval:org.mitre.oval:def:22796
Title: ELSA-2009:1116: cyrus-imapd security update (Important)
Description: Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.
Family: unix Class: patch
Reference(s): ELSA-2009:1116-01
CVE-2009-0688
 Version: 6
Platform(s): Oracle Linux 5
 Product(s): cyrus-imapd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:29022
 
Oval ID: oval:org.mitre.oval:def:29022
Title: RHSA-2009:1116 -- cyrus-imapd security update (Important)
Description: Updated cyrus-imapd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and SIEVE support.
Family: unix Class: patch
Reference(s): RHSA-2009:1116
CESA-2009:1116-CentOS 5
CVE-2009-0688
 Version: 3
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 4
CentOS Linux 5
 Product(s): cyrus-imapd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6136
 
Oval ID: oval:org.mitre.oval:def:6136
Title: Security Vulnerability in the Simple Authentication and Security Layer (SASL) Library Bundled with the Java Enterprise System (JES) may Allow Unprivileged Users to Crash Applications Using the sasl_encode64 Function
Description: Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.
Family: unix Class: vulnerability
Reference(s): CVE-2009-0688
 Version: 1
Platform(s): Sun Solaris 8
Sun Solaris 9
Sun Solaris 10
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8333
 
Oval ID: oval:org.mitre.oval:def:8333
Title: DSA-1807 cyrus-sasl2, cyrus-sasl2-heimdal -- buffer overflow
Description: James Ralston discovered that the sasl_encode64() function of cyrus-sasl2, a free library implementing the Simple Authentication and Security Layer, suffers from a missing null termination in certain situations. This causes several buffer overflows in situations where cyrus-sasl2 itself requires the string to be null terminated which can lead to denial of service or arbitrary code execution. Important notice (Quoting from US-CERT): While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation: Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable. Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER.
Family: unix Class: patch
Reference(s): DSA-1807
CVE-2009-0688
 Version: 3
Platform(s): Debian GNU/Linux 5.0
 Product(s): cyrus-sasl2
cyrus-sasl2-heimdal
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 45

OpenVAS Exploits

Date Description
2011-08-09 Name : CentOS Update for cyrus-imapd CESA-2009:1116 centos5 i386
File : nvt/gb_CESA-2009_1116_cyrus-imapd_centos5_i386.nasl
2010-05-12 Name : Mac OS X 10.6.3 Update / Mac OS X Security Update 2010-002
File : nvt/macosx_upd_10_6_3_secupd_2010-002.nasl
2009-12-10 Name : Mandriva Security Advisory MDVSA-2009:113-1 (cyrus-sasl)
File : nvt/mdksa_2009_113_1.nasl
2009-10-13 Name : Solaris Update for libsasl.so.1 141930-01
File : nvt/gb_solaris_141930_01.nasl
2009-10-13 Name : Solaris Update for libsasl.so.1 141931-01
File : nvt/gb_solaris_141931_01.nasl
2009-10-13 Name : SLES10: Security update for cyrus-sasl
File : nvt/sles10_cyrus-sasl.nasl
2009-10-11 Name : SLES11: Security update for cyrus-sasl
File : nvt/sles11_cyrus-sasl.nasl
2009-10-10 Name : SLES9: Security update for cyrus-sasl
File : nvt/sles9p5050660.nasl
2009-07-29 Name : Gentoo Security Advisory GLSA 200907-09 (cyrus-sasl)
File : nvt/glsa_200907_09.nasl
2009-06-30 Name : Ubuntu USN-790-1 (cyrus-sasl2)
File : nvt/ubuntu_790_1.nasl
2009-06-30 Name : Ubuntu USN-789-1 (gst-plugins-good0.10)
File : nvt/ubuntu_789_1.nasl
2009-06-23 Name : CentOS Security Advisory CESA-2009:1116 (cyrus-imapd)
File : nvt/ovcesa2009_1116.nasl
2009-06-23 Name : RedHat Security Advisory RHSA-2009:1116
File : nvt/RHSA_2009_1116.nasl
2009-06-15 Name : SuSE Security Summary SUSE-SR:2009:011
File : nvt/suse_sr_2009_011.nasl
2009-06-05 Name : Mandrake Security Advisory MDVSA-2009:113 (cyrus-sasl)
File : nvt/mdksa_2009_113.nasl
2009-06-05 Name : Ubuntu USN-776-2 (kvm)
File : nvt/ubuntu_776_2.nasl
2009-06-05 Name : Debian Security Advisory DSA 1807-1 (cyrus-sasl2, cyrus-sasl2-heimdal)
File : nvt/deb_1807_1.nasl
2009-05-28 Name : Cyrus SASL Remote Buffer Overflow Vulnerability
File : nvt/secpod_cyrus_sasllib_mul_bof_vuln.nasl
2009-05-20 Name : FreeBSD Ports: cyrus-sasl
File : nvt/freebsd_cyrus-sasl2.nasl
0000-00-00 Name : Slackware Advisory SSA:2009-134-01 cyrus-sasl
File : nvt/esoft_slk_ssa_2009_134_01.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
54515 Solaris libsasl(3LIB) sasl_encode64() Function Overflow
54514 Cyrus SASL lib/saslutil.c sasl_encode64() Function Overflow

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-1116.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20090618_cyrus_imapd_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2010-03-29 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2010-002.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-1116.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_cyrus-sasl-6250.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_cyrus-sasl-090514.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12419.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_cyrus-sasl-090514.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_cyrus-sasl-090514.nasl - Type : ACT_GATHER_INFO
2009-07-13 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200907-09.nasl - Type : ACT_GATHER_INFO
2009-06-25 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-790-1.nasl - Type : ACT_GATHER_INFO
2009-06-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1116.nasl - Type : ACT_GATHER_INFO
2009-06-02 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1807.nasl - Type : ACT_GATHER_INFO
2009-05-28 Name : The remote openSUSE host is missing a security update.
File : suse_cyrus-sasl-6249.nasl - Type : ACT_GATHER_INFO
2009-05-19 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-113.nasl - Type : ACT_GATHER_INFO
2009-05-15 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_14ab174c40ef11de9fd5001bd3385381.nasl - Type : ACT_GATHER_INFO
2009-05-15 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2009-134-01.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:36:36
  • Multiple Updates