Sourced from AusCERT. andrew
---------- Forwarded message ---------- From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Wed, 14 Jun 2006 23:49:01 UT Subject: [NATIONAL-ALERTS] (AUSCERT AL-2006.0048) [UNIX/Linux][Win] - Sendmail fails to handle malformed multipart MIME messages To: [EMAIL PROTECTED] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== A U S C E R T A L E R T AL-2006.0048 -- AUSCERT ALERT [UNIX/Linux][Win] Sendmail fails to handle malformed multipart MIME messages 15 June 2006 =========================================================================== AusCERT Alert Summary --------------------- Product: Sendmail 8.13.6 and prior Publisher: US-CERT Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2006-1173 Original Bulletin: http://www.kb.cert.org/vuls/id/146718 http://www.sendmail.org/releases/8.13.7.html - --------------------------BEGIN INCLUDED TEXT-------------------- US-CERT Vulnerability Note VU#146718 Sendmail fails to handle malformed multipart MIME messages Overview Sendmail does not properly handle malformed multipart MIME messages. This vulnerability may allow a remote, unauthenticated attacker to cause a denial-of-service condition. I. Description Sendmail Sendmail is a widely used mail transfer agent (MTA). Mail Transfer Agents (MTA) MTAs are responsible for sending an receiving email messages over the internet. They are also referred to as mail servers or SMTP servers. The Problem Sendmail fails to properly handle malformed mulitpart MIME messages. This vulnerability may be triggered by sending a specially crafted message to a vulnerable Sendmail MTA. II. Impact This vulnerability will not cause the Sendmail server process to terminate. However, it may cause the Sendmail to consume a large amount of system resources. Specifically, if a system writes uniquely named core dump files, this vulnerability may cause available disk space to be filled with core dumps leading to a disruption of system operation resulting in a denial-of-service condition. Additionally, this vulnerability may cause queue runs to abort preventing the processing and delivery of queued messages. III. Solution Upgrade Sendmail This issue is corrected in Sendmail version 8.13.7. The following workarounds were provided by Sendmail: Limit message size Limiting the maximum message size accepted by your server (via the sendmail MaxMessageSize option) will mitigate this vulnerability. Remove stack size limit If your operating system limits stack size, remove that limit. This will make the attack more difficult to accomplish, as it will require a very large message. Also, by limiting the maximum message size accepted by your server (via the sendmail MaxMessageSize option), you can eliminate the attack completely. Configure your MTA to avoid the negative impacts listed above: * Disable core dumps. * Enable the ForkEachJob option at the cost of lower queue run performance and potentially a high number of processes. * Set QueueSortOrder to random, which will randomize the order jobs are processed. Note that with random queue sorting, the bad message will still be processed and the queue run aborted every time, but at a different, random spot. Systems Affected Vendor Status Date Updated 3com, Inc. Unknown 9-May-2006 Alcatel Unknown 9-May-2006 Apple Computer, Inc. Unknown 9-May-2006 AT&T Unknown 9-May-2006 Avaya, Inc. Unknown 9-May-2006 Avici Systems, Inc. Unknown 9-May-2006 Borderware Technologies Not Vulnerable 25-May-2006 B.U.G., Inc Not Vulnerable 13-Jun-2006 Century Systems Inc. Not Vulnerable 13-Jun-2006 Charlotte's Web Networks Unknown 9-May-2006 Check Point Software Technologies Unknown 9-May-2006 Chiaro Networks, Inc. Unknown 9-May-2006 Cisco Systems, Inc. Unknown 9-May-2006 Computer Associates Unknown 9-May-2006 Conectiva Inc. Unknown 9-May-2006 Cray Inc. Unknown 9-May-2006 D-Link Systems, Inc. Unknown 9-May-2006 Data Connection, Ltd. Unknown 9-May-2006 Debian GNU/Linux Unknown 9-May-2006 DragonFly BSD Project Unknown 9-May-2006 EMC, Inc. (formerly Data General Corporation) Unknown 9-May-2006 Engarde Secure Linux Unknown 9-May-2006 Ericsson Unknown 9-May-2006 eSoft, Inc. Unknown 9-May-2006 Extreme Networks Unknown 9-May-2006 F5 Networks, Inc. Not Vulnerable 15-May-2006 Fedora Project Unknown 9-May-2006 Force10 Networks, Inc. Unknown 9-May-2006 Fortinet, Inc. Unknown 9-May-2006 Foundry Networks, Inc. Not Vulnerable 14-Jun-2006 FreeBSD, Inc. Vulnerable 14-Jun-2006 Fujitsu Unknown 9-May-2006 Fujitsu Not Vulnerable 13-Jun-2006 Gentoo Linux Unknown 9-May-2006 Global Technology Associates Unknown 9-May-2006 GNU netfilter Unknown 9-May-2006 Hewlett-Packard Company Unknown 9-May-2006 Hitachi Not Vulnerable 14-Jun-2006 Hyperchip Unknown 9-May-2006 IBM Corporation Vulnerable 14-Jun-2006 IBM Corporation (zseries) Unknown 9-May-2006 IBM eServer Unknown 10-May-2006 Immunix Communications, Inc. Unknown 9-May-2006 Ingrian Networks, Inc. Unknown 9-May-2006 Intel Corporation Unknown 9-May-2006 Internet Initiative Japan Not Vulnerable 13-Jun-2006 Internet Security Systems, Inc. Unknown 9-May-2006 Intoto Not Vulnerable 10-May-2006 IP Filter Unknown 9-May-2006 Juniper Networks, Inc. Unknown 9-May-2006 Justsystem Corporation Not Vulnerable 13-Jun-2006 Linksys (A division of Cisco Systems) Unknown 9-May-2006 Lotus Software Not Vulnerable 10-May-2006 Lucent Technologies Unknown 9-May-2006 Luminous Networks Unknown 9-May-2006 Mandriva, Inc. Unknown 9-May-2006 Microsoft Corporation Unknown 9-May-2006 Mirapoint, Inc. Unknown 9-May-2006 MontaVista Software, Inc. Unknown 9-May-2006 Multinet (owned Process Software Corporation) Unknown 9-May-2006 Multitech, Inc. Unknown 9-May-2006 NEC Corporation Vulnerable 14-Jun-2006 NetBSD Unknown 9-May-2006 Network Appliance, Inc. Not Vulnerable 12-May-2006 NextHop Technologies, Inc. Unknown 9-May-2006 Nokia Unknown 9-May-2006 Nortel Networks, Inc. Unknown 9-May-2006 Novell, Inc. Unknown 9-May-2006 OpenBSD Unknown 7-Jun-2006 Openwall GNU/*/Linux Not Vulnerable 10-May-2006 Oracle Corporation Not Vulnerable 16-May-2006 QNX, Software Systems, Inc. Unknown 9-May-2006 Red Hat, Inc. Vulnerable 14-Jun-2006 Redback Networks, Inc. Not Vulnerable 9-Jun-2006 Riverstone Networks, Inc. Unknown 9-May-2006 Secure Computing Network Security Division Unknown 9-May-2006 Secureworx, Inc. Unknown 31-May-2006 Sendmail Consortium Vulnerable 14-Jun-2006 Sendmail, Inc. Vulnerable 14-Jun-2006 Silicon Graphics, Inc. Unknown 9-May-2006 Slackware Linux Inc. Unknown 9-May-2006 Sony Corporation Unknown 9-May-2006 Stonesoft Unknown 12-May-2006 Sun Microsystems, Inc. Vulnerable 14-Jun-2006 SUSE Linux Unknown 9-May-2006 Symantec, Inc. Unknown 9-May-2006 Syntegra Not Vulnerable 14-Jun-2006 The SCO Group Unknown 14-Jun-2006 The SCO Group (SCO Unix) Unknown 27-May-2006 Trustix Secure Linux Unknown 9-May-2006 Turbolinux Unknown 9-May-2006 Ubuntu Unknown 10-May-2006 Unisys Unknown 9-May-2006 Watchguard Technologies, Inc. Unknown 9-May-2006 Wind River Systems, Inc. Unknown 9-May-2006 Yamaha Corporation Not Vulnerable 13-Jun-2006 Yokogawa Electric Corporation Not Vulnerable 13-Jun-2006 ZyXEL Unknown 9-May-2006 References http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc http://www.sendmail.org/releases/8.13.7.html http://www.sendmail.org/releases/8.13.7.html#RS http://secunia.com/advisories/20473/ Credit This vulnerability was reported by Sendmail. This document was written by Jeff Gennari based on information from Sendmail. Other Information Date Public 06/14/2006 Date First Published 06/14/2006 12:04:19 PM Date Last Updated 06/14/2006 CERT Advisory CVE Name CVE-2006-1173 Metric 13.51 Document Revision 28 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to [EMAIL PROTECTED] and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: [EMAIL PROTECTED] Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRJCgOyh9+71yA2DNAQLDvgQAmAxq5426RM/7xMgzYW0CxWhycyeIUqBy nvhfB/y2EZ4amwuiuxrkkptD8IdKntEku3VvKB8aEJNkk0KtTZ+BaU7w02CQPlO6 P4Plf6ImP11cbV5stRAtl5F9uDEtrQ4Sq4o1i32g+fFWBcE2TrgIOgRhPq7E6m13 Fw9z2NJiL8E= =yvGF -----END PGP SIGNATURE----- AusCERT is the national computer emergency response team for Australia. We monitor various sources around the globe and provide reliable and independent information about serious computer network threats and vulnerabilities. AusCERT, which is a not-for-profit organisation, operates a cost-recovery service for its members and a smaller free security bulletin service to subscribers of the National Alerts Service. In the interests of protecting your information systems and keeping up to date with relevant information to protect your information systems, you should be aware that not all security bulletins published or distributed by AusCERT are included in the National Alert Service. AusCERT may publish and distribute bulletins to its members which contain information about serious computer network threats and vulnerabilities that could affect your information systems. Many of these security bulletins are publicly accessible from our web site. AusCERT maintains the mailing list for access to National Alerts Service security bulletins. If you are subscribed to the National Alerts Service and wish to cancel your subscription to this service, please follow the instructions at: http://www.auscert.org.au/msubmit.html?it=3058 Previous security bulletins published or distributed as part of the National Alerts Service can be retrieved from: http://national.auscert.org.au/render.html?cid=2998 Previous security bulletins published or distributed by AusCERT can be retrieved from: http://www.auscert.org.au/render.html?cid=1 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://national.auscert.org.au/render.html?it=3192 -- Andrew Donnellan http://andrewdonnellan.com http://ajdlinux.blogspot.com Jabber - [EMAIL PROTECTED] GPG - hkp://subkeys.pgp.net 0x5D4C0C58 ------------------------------- Member of Linux Australia - http://linux.org.au Debian user - http://debian.org Get free rewards - http://ezyrewards.com/?id=23484 OpenNIC user - http://www.opennic.unrated.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]