Re: qmail vulnerability

Wed, 28 Feb 2001 22:29:26 -0800 

Thus said "D. J. Bernstein" on 01 Mar 2001 02:27:37 GMT:

>    http://www.securityfocus.com/bid/2237

  ``Currently the SecurityFocus staff are not aware of any vendor
    supplied patches for this issue.''

Why haven't they updated this?  On a properly configured qmail system 
this is a non-issue.  Why is that not the *fix* that they seek?

>    http://www.securityfocus.com/archive/1/6969

Isn't this a repeat of the first?  The *exploit* code even looks 
similar (if not the same).

>    http://www.securityfocus.com/archive/1/6970

Again the same issue which is easily solved by configuring qmail 
properly.

>    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0144

More of the same.  Maybe they should define what they consider the 
OS...  Out of curiosity, is this why softlimit was added to the 
daemontools package?

>    http://www.insecure.org/sploits/qmail.DOS.rcpt.html

Again the same problem...

>    http://xforce.iss.net/static/208.php

At least they got the version right here, but still the same problem 
which is easily taken care of with proper configuration.

>    http://archives.neohapsis.com/archives/postfix/2000-01/1170.html

At least this one is not as dull as the rest. :-)

> If you have seen any of these web pages, or any similar web pages at
> other locations, please send me email with the following information:

I haven't seen any additional pages, but the first three listed I had 
seen before.  When I first saw the reports I decided to test my current 
systems against what was proposed.  Each test failed to reproduce the 
attack described.  I was actually surprised because I wasn't certain 
how the systems had been setup (I didn't do the initial configuration 
of the systems).  Of course it didn't have any effect (other than 
closing the connection with a temporary error) on the system.  I 
suppose an attacker could attempt to exhaust the memory by taking up 
all the connections available, however, even this is avoidable by doing 
the math.  

For example, tcpserver by default will only accept 40 connections.  
If each qmail-smtpd is started with softlimit -m 2000000 that comes out 
to 80M of RAM that will ever be allocated.  On a server with 128M this 
won't even touch swap (unless there are other services running on the 
server in which case the admin *will* have figured that into the total).

Andy
-- 
[-----------[system uptime]--------------------------------------------]
 11:43pm  up 14 days, 23:45,  7 users,  load average: 1.22, 1.16, 1.17

Reply via email to