10 - VU#183657

Executive Summary

Summary
Title	libspf2 DNS TXT record parsing buffer overflow

Informations
Name	VU#183657	First vendor Publication	2008-10-30
Vendor	VU-CERT	Last vendor Modification	2009-02-17
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#183657

libspf2 DNS TXT record parsing buffer overflow

Overview

libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records.

I. Description

libspf2 is a widely-deployed implementation of the Sender Policy Framework. According to RFC 4408:

An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. Loosely, the record partitions all hosts into permitted and not-permitted sets (though some hosts might fall into neither category).

libspf2 contins a buffer overflow in DNS TXT record parsing. According to Doxpara Research:

DNS TXT records have long been a little tricky to parse, due to them containing two length fields. First, there is the length field of the record as a whole. Then, there is a sublength field, from 0 to 255, that describes the length of a particular character string inside the larger record. There is nothing that links the two values, and DNS servers to not themselves enforce sanity checks here. As such, there is always a risk that when receiving a DNS TXT record, the outer record length will be the amount allocated, but the inner length will be copied.

This issue is similar to VU#814627"Sendmail vulnerable to buffer overflow when DNS map is specified using TXT records."

II. Impact

This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running libspf2.

III. Solution

Upgrade

Vendors and those who directly use libspf2 should upgrade to version 1.2.8.

Users that run a mail server or anti-spam products should consult their vendor for an appropriate patch.

Systems Affected

Vendor	Status	Date Notified	Date Updated
3com, Inc.	Unknown	2008-09-16	2008-09-16
ACCESS	Unknown	2008-09-16	2008-09-16
Alcatel-Lucent	Unknown	2008-09-16	2008-09-16
Apple Computer, Inc.	Unknown	2008-09-16	2008-09-16
AT&T	Unknown	2008-09-16	2008-09-16
Avaya, Inc.	Unknown	2008-09-16	2008-09-16
Barracuda Networks	Unknown	2008-09-16	2008-09-16
Belkin, Inc.	Unknown	2008-09-16	2008-09-16
Bizanga	Not Vulnerable	2008-09-17	2008-10-16
BlueCat Networks, Inc.	Vulnerable	2008-09-18	2008-10-30
Borderware Technologies	Unknown	2008-09-16	2008-09-16
Bro	Unknown	2008-09-16	2008-09-16
Charlotte's Web Networks	Unknown	2008-09-16	2008-09-16
Check Point Software Technologies	Unknown	2008-09-16	2008-09-16
CIAC	Unknown	2008-09-16	2008-09-16
Cisco Systems, Inc.	Not Vulnerable	2008-09-16	2008-11-07
Clavister	Unknown	2008-09-16	2008-09-16
Cloudmark	Unknown	2008-09-23	2008-09-23
Computer Associates	Unknown	2008-09-16	2008-09-16
Computer Associates eTrust Security Management	Unknown	2008-09-16	2008-09-16
Conectiva Inc.	Unknown	2008-09-16	2008-09-16
Cray Inc.	Unknown	2008-09-16	2008-09-16
D-Link Systems, Inc.	Unknown	2008-09-16	2008-09-16
Data Connection, Ltd.	Unknown	2008-09-16	2008-09-16
Debian GNU/Linux	Unknown	2008-09-16	2008-09-16
DragonFly BSD Project	Unknown	2008-09-16	2008-09-16
Eland Systems	Not Vulnerable	2008-09-17	2008-10-16
EMC Corporation	Unknown	2008-09-16	2008-09-16
Engarde Secure Linux	Unknown	2008-09-16	2008-09-16
Enterasys Networks	Unknown	2008-09-16	2008-09-16
Ericsson	Unknown	2008-09-16	2008-09-16
eSoft, Inc.	Unknown	2008-09-16	2008-09-16
Extreme Networks	Unknown	2008-09-16	2008-09-16
F5 Networks, Inc.	Unknown	2008-09-16	2008-09-16
Fedora Project	Unknown	2008-09-16	2008-09-16
Force10 Networks, Inc.	Unknown	2008-09-16	2008-09-16
Fortinet, Inc.	Unknown	2008-09-16	2008-09-16
Foundry Networks, Inc.	Unknown	2008-09-16	2008-09-16
FreeBSD, Inc.	Unknown	2008-09-16	2008-09-16
Fujitsu	Unknown	2008-09-16	2008-09-16
Gentoo Linux	Unknown	2008-09-16	2008-09-16
Global Technology Associates	Unknown	2008-09-16	2008-09-16
Hewlett-Packard Company	Unknown	2008-09-16	2008-09-16
Hitachi	Unknown	2008-09-16	2008-09-16
IBM Corporation	Unknown	2008-09-16	2008-09-16
IBM Corporation (zseries)	Unknown	2008-09-16	2008-09-16
IBM eServer	Unknown	2008-09-16	2008-09-16
Ingrian Networks, Inc.	Unknown	2008-09-16	2008-09-16
Intel Corporation	Unknown	2008-09-16	2008-09-16
Internet Security Systems, Inc.	Unknown	2008-09-16	2008-09-16
Intoto	Unknown	2008-09-16	2008-09-16
IP Filter	Unknown	2008-09-16	2008-09-16
IP Infusion, Inc.	Unknown	2008-09-16	2008-09-16
Juniper Networks, Inc.	Unknown	2008-09-16	2008-09-16
Luminous Networks	Unknown	2008-09-16	2008-09-16
m0n0wall	Unknown	2008-09-16	2008-09-16
MailFoundry	Not Vulnerable	2008-09-18	2008-10-23
Mandriva, Inc.	Unknown	2008-09-16	2008-09-16
McAfee	Vulnerable	2008-09-16	2008-10-16
Messaging Architects	Unknown	2008-09-18	2008-09-18
Microsoft Corporation	Unknown	2008-09-16	2008-09-16
Mirapoint, Inc.	Unknown	2008-09-18	2008-09-18
MontaVista Software, Inc.	Unknown	2008-09-16	2008-09-16
Multitech, Inc.	Unknown	2008-09-16	2008-09-16
NEC Corporation	Unknown	2008-09-16	2008-09-16
NetApp	Unknown	2008-09-16	2008-09-16
NetBSD	Unknown	2008-09-16	2008-09-16
netfilter	Unknown	2008-09-16	2008-09-16
Nokia	Unknown	2008-09-16	2008-09-16
Nortel Networks, Inc.	Unknown	2008-09-16	2008-09-16
Novell, Inc.	Unknown	2008-09-16	2008-09-16
OpenBSD	Unknown	2008-09-16	2008-09-16
Openwall GNU/*/Linux	Not Vulnerable	2008-09-16	2008-10-16
OpenWave	Unknown	2008-09-19	2008-09-19
PePLink	Unknown	2008-09-16	2008-09-16
Process Software	Vulnerable	2008-09-16	2008-10-16
Proofpoint	Not Vulnerable	2008-09-18	2008-10-16
Q1 Labs	Unknown	2008-09-16	2008-09-16
QNX, Software Systems, Inc.	Unknown	2008-09-16	2008-09-16
Quagga	Unknown	2008-09-16	2008-09-16
RadWare, Inc.	Unknown	2008-09-16	2008-09-16
Red Hat, Inc.	Unknown	2008-09-16	2008-09-16
Redback Networks, Inc.	Unknown	2008-09-16	2008-09-16
Roaring Penguin Software Inc.	Not Vulnerable	2008-09-17	2008-10-16
SecPoint	Vulnerable	2008-09-24	2008-10-16
Secure Computing Enterprise Security Division	Unknown	2008-09-18	2008-09-18
Secure Computing Network Security Division	Unknown	2008-09-16	2008-09-16
Securence	Not Vulnerable	2008-09-19	2008-10-16
Secureworx, Inc.	Unknown	2008-09-16	2008-09-16
Silicon Graphics, Inc.	Unknown	2008-09-16	2008-09-16
Slackware Linux Inc.	Unknown	2008-09-16	2008-09-16
SmoothWall	Unknown	2008-09-16	2008-09-16
Snort	Unknown	2008-09-16	2008-09-16
Soapstone Networks	Unknown	2008-09-16	2008-09-16
Sony Corporation	Unknown	2008-09-16	2008-09-16
Sourcefire	Unknown	2008-09-16	2008-09-16
Stonesoft	Unknown	2008-09-16	2008-09-16
Sun Microsystems, Inc.	Not Vulnerable	2008-09-16	2008-10-16
SUSE Linux	Not Vulnerable	2008-09-16	2008-10-16
Symantec, Inc.	Not Vulnerable	2008-09-16	2008-10-30
The SCO Group	Unknown	2008-09-16	2008-09-16
TippingPoint, Technologies, Inc.	Unknown	2008-09-16	2008-09-16
Turbolinux	Unknown	2008-09-16	2008-09-16
U4EA Technologies, Inc.	Unknown	2008-09-16	2008-09-16
Ubuntu	Unknown	2008-09-16	2008-09-16
Unisys	Unknown	2008-09-16	2008-09-16
Vyatta	Unknown	2008-09-16	2008-09-16
Watchguard Technologies, Inc.	Unknown	2008-09-16	2008-09-16
Wind River Systems, Inc.	Unknown	2008-09-16	2008-09-16
ZyXEL	Unknown	2008-09-16	2008-09-16

References

http://www.kb.cert.org/vuls/id/814627
http://www.ietf.org/rfc/rfc4408.txt
http://www.doxpara.com/?page_id=1256
http://www.libspf2.org/docs/html/

Credit

This issue was reported by Dan Kaminsky of Doxpara Research.

This document was written by Chris Taschner.

Other Information

Date Public:	2008-10-21
Date First Published:	2008-10-30
Date Last Updated:	2009-02-17
CERT Advisory:
CVE-ID(s):	CVE-2008-2469
NVD-ID(s):	CVE-2008-2469
US-CERT Technical Alerts:
Metric:	9.00
Document Revision:	22

Original Source

Url : http://www.kb.cert.org/vuls/id/183657

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:20268

Oval ID:	oval:org.mitre.oval:def:20268
Title:	DSA-1659-1 libspf2 - potential remote code execution
Description:	Dan Kaminsky discovered that libspf2, an implementation of the Sender Policy Framework (SPF) used by mail servers for mail filtering, handles malformed TXT records incorrectly, leading to a buffer overflow condition (<a href="http://security-tracker.debian.org/tracker/CVE-2008-2469">CVE-2008-2469</a>).
Family:	unix	Class:	patch
Reference(s):	DSA-1659-1 CVE-2008-2469	Version:	5
Platform(s):	Debian GNU/Linux 4.0	Product(s):	libspf2
Definition Synopsis:
Debian GNU/Linux 4.0 is installed. AND libspf2 DPKG is earlier than 0:1.2.5-4+etch1

Definition Id: oval:org.mitre.oval:def:7802

Oval ID:	oval:org.mitre.oval:def:7802
Title:	DSA-1659 libspf2 -- buffer overflow
Description:	Dan Kaminsky discovered that libspf2, an implementation of the Sender Policy Framework (SPF) used by mail servers for mail filtering, handles malformed TXT records incorrectly, leading to a buffer overflow condition (CVE-2008-2469). Note that the SPF configuration template in Debian's Exim configuration recommends to use libmail-spf-query-perl, which does not suffer from this issue.
Family:	unix	Class:	patch
Reference(s):	DSA-1659 CVE-2008-2469	Version:	3
Platform(s):	Debian GNU/Linux 4.0	Product(s):	libspf2
Definition Synopsis:
Debian GNU/Linux 4.0 is installed. Supported architectures section Installed architecture is s390 AND Installed architecture is amd64 AND Installed architecture is sparc AND Installed architecture is arm AND Installed architecture is i386 AND Installed architecture is ia64 AND Installed architecture is alpha AND Installed architecture is powerpc AND Installed architecture is mipsel AND Installed architecture is hppa Packages section libspf2-2 is earlier than 1.2.5-4+etch1 AND libspf2-dev is earlier than 1.2.5-4+etch1 AND spfquery is earlier than 1.2.5-4+etch1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Libspf libspf2 cpe:2.3:a:libspf:libspf2:1.2.6:::::::* cpe:2.3:a:libspf:libspf2:1.2.5:::::::* cpe:2.3:a:libspf:libspf2:1.2.4:::::::* cpe:2.3:a:libspf:libspf2:1.2.3:::::::* cpe:2.3:a:libspf:libspf2:1.2.1:::::::* cpe:2.3:a:libspf:libspf2:1.0.4:::::::* cpe:2.3:a:libspf:libspf2:1.0.3:::::::* cpe:2.3:a:libspf:libspf2:1.0.2:::::::*	8

OpenVAS Exploits

Date	Description
2008-11-01	Name : Debian Security Advisory DSA 1659-1 (libspf2) File : nvt/deb_1659_1.nasl
2008-11-01	Name : FreeBSD Ports: libspf2 File : nvt/freebsd_libspf2.nasl
2008-11-01	Name : Gentoo Security Advisory GLSA 200810-03 (libspf2) File : nvt/glsa_200810_03.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
49277	libspf2 Spf_dns_resolv.c SPF_dns_resolv_lookup Function DNS TXT Record Handli...

Snort® IPS/IDS

Date	Description
2014-01-10	libspf2 DNS TXT record parsing buffer overflow attempt RuleID : 15327 - Revision : 8 - Type : PROTOCOL-DNS

Nessus® Vulnerability Scanner

Date	Description
2008-10-31	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200810-03.nasl - Type : ACT_GATHER_INFO
2008-10-28	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_2ddbfd29a45511dda55e00163e000016.nasl - Type : ACT_GATHER_INFO
2008-10-27	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1659.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	2
CPE ID(s)	8
osvdb(s)	1
Openvas Exploit(s)	3
Snort® Rule(s)	1
Nessus® Exploit(s)	3

	Related
10	CVE-2008-2469
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)