CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#183657

libspf2 DNS TXT record parsing buffer overflow

Overview

libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records.

I. Description

libspf2 is a widely-deployed implementation of the Sender Policy Framework. According to RFC 4408:

    An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. Loosely, the record partitions all hosts into permitted and not-permitted sets (though some hosts might fall into neither category).

libspf2 contins a buffer overflow in DNS TXT record parsing. According to Doxpara Research:
    DNS TXT records have long been a little tricky to parse, due to them containing two length fields. First, there is the length field of the record as a whole. Then, there is a sublength field, from 0 to 255, that describes the length of a particular character string inside the larger record. There is nothing that links the two values, and DNS servers to not themselves enforce sanity checks here. As such, there is always a risk that when receiving a DNS TXT record, the outer record length will be the amount allocated, but the inner length will be copied.
This issue is similar to VU#814627 "Sendmail vulnerable to buffer overflow when DNS map is specified using TXT records."

II. Impact

This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running libspf2.

III. Solution

Upgrade

Vendors and those who directly use libspf2 should upgrade to version 1.2.8.

Users that run a mail server or anti-spam products should consult their vendor for an appropriate patch.

Systems Affected

VendorStatusDate Updated
3com, Inc.Unknown2008-09-162008-09-16
ACCESSUnknown2008-09-162008-09-16
Alcatel-LucentUnknown2008-09-162008-09-16
Apple Computer, Inc.Unknown2008-09-162008-09-16
AT&TUnknown2008-09-162008-09-16
Avaya, Inc.Unknown2008-09-162008-09-16
Barracuda NetworksUnknown2008-09-162008-09-16
Belkin, Inc.Unknown2008-09-162008-09-16
BizangaNot Vulnerable2008-09-172008-10-16
BlueCat Networks, Inc.Vulnerable2008-09-182008-10-30
Borderware TechnologiesUnknown2008-09-162008-09-16
BroUnknown2008-09-162008-09-16
Charlotte's Web NetworksUnknown2008-09-162008-09-16
Check Point Software TechnologiesUnknown2008-09-162008-09-16
CIACUnknown2008-09-162008-09-16
Cisco Systems, Inc.Not Vulnerable2008-09-162008-11-07
ClavisterUnknown2008-09-162008-09-16
CloudmarkUnknown2008-09-232008-09-23
Computer AssociatesUnknown2008-09-162008-09-16
Computer Associates eTrust Security ManagementUnknown2008-09-162008-09-16
Conectiva Inc.Unknown2008-09-162008-09-16
Cray Inc.Unknown2008-09-162008-09-16
D-Link Systems, Inc.Unknown2008-09-162008-09-16
Data Connection, Ltd.Unknown2008-09-162008-09-16
Debian GNU/LinuxUnknown2008-09-162008-09-16
DragonFly BSD ProjectUnknown2008-09-162008-09-16
Eland SystemsNot Vulnerable2008-09-172008-10-16
EMC CorporationUnknown2008-09-162008-09-16
Engarde Secure LinuxUnknown2008-09-162008-09-16
Enterasys NetworksUnknown2008-09-162008-09-16
EricssonUnknown2008-09-162008-09-16
eSoft, Inc.Unknown2008-09-162008-09-16
Extreme NetworksNot Vulnerable2008-09-162009-04-30
F5 Networks, Inc.Unknown2008-09-162008-09-16
Fedora ProjectUnknown2008-09-162008-09-16
Force10 Networks, Inc.Unknown2008-09-162008-09-16
Fortinet, Inc.Unknown2008-09-162008-09-16
Foundry Networks, Inc.Unknown2008-09-162008-09-16
FreeBSD, Inc.Unknown2008-09-162008-09-16
FujitsuUnknown2008-09-162008-09-16
Gentoo LinuxUnknown2008-09-162008-09-16
Global Technology AssociatesUnknown2008-09-162008-09-16
Hewlett-Packard CompanyUnknown2008-09-162008-09-16
HitachiUnknown2008-09-162008-09-16
IBM CorporationUnknown2008-09-162008-09-16
IBM Corporation (zseries)Unknown2008-09-162008-09-16
IBM eServerUnknown2008-09-162008-09-16
Ingrian Networks, Inc.Unknown2008-09-162008-09-16
Intel CorporationUnknown2008-09-162008-09-16
Internet Security Systems, Inc.Unknown2008-09-162008-09-16
IntotoUnknown2008-09-162008-09-16
IP FilterUnknown2008-09-162008-09-16
IP Infusion, Inc.Unknown2008-09-162008-09-16
Juniper Networks, Inc.Unknown2008-09-162008-09-16
Luminous NetworksUnknown2008-09-162008-09-16
m0n0wallUnknown2008-09-162008-09-16
MailFoundryNot Vulnerable2008-09-182008-10-23
Mandriva, Inc.Unknown2008-09-162008-09-16
McAfeeVulnerable2008-09-162008-10-16
Messaging ArchitectsUnknown2008-09-182008-09-18
Microsoft CorporationUnknown2008-09-162008-09-16
Mirapoint, Inc.Unknown2008-09-182008-09-18
MontaVista Software, Inc.Unknown2008-09-162008-09-16
Multitech, Inc.Unknown2008-09-162008-09-16
NEC CorporationUnknown2008-09-162008-09-16
NetAppUnknown2008-09-162008-09-16
NetBSDUnknown2008-09-162008-09-16
netfilterUnknown2008-09-162008-09-16
NokiaUnknown2008-09-162008-09-16
Nortel Networks, Inc.Unknown2008-09-162008-09-16
Novell, Inc.Unknown2008-09-162008-09-16
OpenBSDUnknown2008-09-162008-09-16
Openwall GNU/*/LinuxNot Vulnerable2008-09-162008-10-16
OpenWaveUnknown2008-09-192008-09-19
PePLinkUnknown2008-09-162008-09-16
Process SoftwareVulnerable2008-09-162008-10-16
ProofpointNot Vulnerable2008-09-182008-10-16
Q1 LabsUnknown2008-09-162008-09-16
QNX, Software Systems, Inc.Unknown2008-09-162008-09-16
QuaggaUnknown2008-09-162008-09-16
RadWare, Inc.Unknown2008-09-162008-09-16
Red Hat, Inc.Unknown2008-09-162008-09-16
Redback Networks, Inc.Unknown2008-09-162008-09-16
Roaring Penguin Software Inc.Not Vulnerable2008-09-172008-10-16
SecPointVulnerable2008-09-242008-10-16
Secure Computing Enterprise Security DivisionUnknown2008-09-182008-09-18
Secure Computing Network Security DivisionUnknown2008-09-162008-09-16
SecurenceNot Vulnerable2008-09-192008-10-16
Secureworx, Inc.Unknown2008-09-162008-09-16
Silicon Graphics, Inc.Unknown2008-09-162008-09-16
Slackware Linux Inc.Unknown2008-09-162008-09-16
SmoothWallUnknown2008-09-162008-09-16
SnortUnknown2008-09-162008-09-16
Soapstone NetworksUnknown2008-09-162008-09-16
Sony CorporationUnknown2008-09-162008-09-16
SourcefireUnknown2008-09-162008-09-16
StonesoftUnknown2008-09-162008-09-16
Sun Microsystems, Inc.Not Vulnerable2008-09-162008-10-16
SUSE LinuxNot Vulnerable2008-09-162008-10-16
Symantec, Inc.Not Vulnerable2008-09-162008-10-30
The SCO GroupUnknown2008-09-162008-09-16
TippingPoint, Technologies, Inc.Unknown2008-09-162008-09-16
TurbolinuxUnknown2008-09-162008-09-16
U4EA Technologies, Inc.Unknown2008-09-162008-09-16
UbuntuUnknown2008-09-162008-09-16
UnisysUnknown2008-09-162008-09-16
VyattaUnknown2008-09-162008-09-16
Watchguard Technologies, Inc.Unknown2008-09-162008-09-16
Wind River Systems, Inc.Unknown2008-09-162008-09-16
ZyXELUnknown2008-09-162008-09-16

References

http://www.kb.cert.org/vuls/id/814627
http://www.ietf.org/rfc/rfc4408.txt
http://www.doxpara.com/?page_id=1256
http://www.libspf2.org/docs/html/

Credit

This issue was reported by Dan Kaminsky of Doxpara Research.

This document was written by Chris Taschner.

Other Information

Date Public10/21/2008
Date First Published10/30/2008 08:43:00 AM
Date Last Updated04/30/2009
CERT Advisory 
CVE NameCVE-2008-2469
Metric9.00
Document Revision22

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2008 Carnegie Mellon University