Vulnerability Note VU#146718

Sendmail fails to handle malformed multipart MIME messages

Overview

Sendmail does not properly handle malformed multipart MIME messages. This vulnerability may allow a remote, unauthenticated attacker to cause a denial-of-service condition.

I. Description

Sendmail

Sendmail is a widely used mail transfer agent (MTA).

Mail Transfer Agents (MTA)

MTAs are responsible for sending an receiving email messages over the internet. They are also referred to as mail servers or SMTP servers.

The Problem

Sendmail fails to properly handle malformed mulitpart MIME messages. This vulnerability may be triggered by sending a specially crafted message to a vulnerable Sendmail MTA.

II. Impact

This vulnerability will not cause the Sendmail server process to terminate. However, it may cause the Sendmail to consume a large amount of system resources. Specifically, if a system writes uniquely named core dump files, this vulnerability may cause available disk space to be filled with core dumps leading to a disruption of system operation resulting in a denial-of-service condition.

Additionally, this vulnerability may cause queue runs to abort; if this situation were to occur, processing and delivery of queued messages would be prevented.

III. Solution

Upgrade Sendmail

This issue is corrected in Sendmail version 8.13.7.

The following workarounds were provided by Sendmail:

Limit message size

Limiting the maximum message size accepted by your server (via the sendmail MaxMessageSize option) will mitigate this vulnerability.

Remove stack size limit

If your operating system limits stack size, remove that limit. This will make the attack more difficult to accomplish, as it will require a very large message. Also, by limiting the maximum message size accepted by your server (via the sendmail MaxMessageSize option), you can eliminate the attack completely.

Configure your MTA to avoid the negative impacts listed above:

Disable core dumps.
Enable the ForkEachJob option at the cost of lower queue run performance and potentially a high number of processes.
Set QueueSortOrder to random, which will randomize the order jobs are processed. Note that with random queue sorting, the bad message will still be processed and the queue run aborted every time, but at a different, random spot.

Systems Affected

Vendor	Status	Date Notified
3com, Inc.	Unknown	10-May-2006
Alcatel	Unknown	10-May-2006
Apple Computer, Inc.	Unknown	10-May-2006
AT&T	Unknown	10-May-2006
Avaya, Inc.	Unknown	10-May-2006
Avici Systems, Inc.	Unknown	10-May-2006
Borderware Technologies	Not Vulnerable	26-May-2006
B.U.G., Inc	Not Vulnerable	14-Jun-2006
Century Systems Inc.	Not Vulnerable	14-Jun-2006
Charlotte's Web Networks	Unknown	10-May-2006
Check Point Software Technologies	Not Vulnerable	27-Jun-2006
Chiaro Networks, Inc.	Unknown	10-May-2006
Cisco Systems, Inc.	Unknown	10-May-2006
Computer Associates	Unknown	10-May-2006
Conectiva Inc.	Unknown	10-May-2006
Cray Inc.	Unknown	10-May-2006
D-Link Systems, Inc.	Unknown	10-May-2006
Data Connection, Ltd.	Unknown	10-May-2006
Debian GNU/Linux	Unknown	10-May-2006
DragonFly BSD Project	Unknown	10-May-2006
EMC, Inc. (formerly Data General Corporation)	Unknown	10-May-2006
Engarde Secure Linux	Unknown	10-May-2006
Ericsson	Unknown	10-May-2006
eSoft, Inc.	Unknown	10-May-2006
Extreme Networks	Unknown	10-May-2006
F5 Networks, Inc.	Not Vulnerable	16-May-2006
Fedora Project	Unknown	10-May-2006
Force10 Networks, Inc.	Unknown	10-May-2006
Fortinet, Inc.	Unknown	10-May-2006
Foundry Networks, Inc.	Not Vulnerable	15-Jun-2006
FreeBSD, Inc.	Vulnerable	15-Jun-2006
Fujitsu	Not Vulnerable	15-Jun-2006
Gentoo Linux	Vulnerable	16-Jun-2006
Global Technology Associates	Not Vulnerable	27-Jun-2006
GNU netfilter	Unknown	10-May-2006
Hewlett-Packard Company	Unknown	10-May-2006
Hitachi	Not Vulnerable	15-Jun-2006
Hyperchip	Unknown	10-May-2006
IBM Corporation	Vulnerable	15-Jun-2006
IBM Corporation (zseries)	Unknown	10-May-2006
IBM eServer	Unknown	10-May-2006
Immunix Communications, Inc.	Unknown	10-May-2006
Ingrian Networks, Inc.	Unknown	10-May-2006
Intel Corporation	Unknown	10-May-2006
Internet Initiative Japan	Not Vulnerable	14-Jun-2006
Internet Security Systems, Inc.	Unknown	10-May-2006
Intoto	Not Vulnerable	10-May-2006
IP Filter	Unknown	10-May-2006
Juniper Networks, Inc.	Unknown	10-May-2006
Justsystem Corporation	Not Vulnerable	14-Jun-2006
Linksys (A division of Cisco Systems)	Unknown	10-May-2006
Lotus Software	Not Vulnerable	11-May-2006
Lucent Technologies	Unknown	10-May-2006
Luminous Networks	Unknown	10-May-2006
Mandriva, Inc.	Unknown	10-May-2006
Microsoft Corporation	Unknown	10-May-2006
Mirapoint, Inc.	Not Vulnerable	15-Jul-2006
MontaVista Software, Inc.	Unknown	10-May-2006
Multinet (owned Process Software Corporation)	Unknown	10-May-2006
Multitech, Inc.	Unknown	10-May-2006
NEC Corporation	Not Vulnerable	15-Jun-2006
NetBSD	Vulnerable	15-Jun-2006
Network Appliance, Inc.	Not Vulnerable	13-May-2006
NextHop Technologies, Inc.	Unknown	10-May-2006
Nokia	Unknown	10-May-2006
Nortel Networks, Inc.	Not Vulnerable	17-Jun-2006
Novell, Inc.	Unknown	10-May-2006
OpenBSD	Unknown	8-Jun-2006
Openwall GNU/*/Linux	Not Vulnerable	10-May-2006
Oracle Corporation	Not Vulnerable	16-May-2006
QNX, Software Systems, Inc.	Unknown	10-May-2006
Red Hat, Inc.	Vulnerable	14-Jun-2006
Redback Networks, Inc.	Not Vulnerable	9-Jun-2006
Riverstone Networks, Inc.	Unknown	10-May-2006
Secure Computing Network Security Division	Not Vulnerable	22-Jun-2006
Secureworx, Inc.	Unknown	31-May-2006
Sendmail Consortium	Vulnerable	15-Jun-2006
Sendmail, Inc.	Vulnerable	15-Jun-2006
Silicon Graphics, Inc.	Unknown	10-May-2006
Slackware Linux Inc.	Unknown	10-May-2006
Sony Corporation	Unknown	10-May-2006
Stonesoft	Unknown	13-May-2006
Sun Microsystems, Inc.	Vulnerable	14-Jun-2006
SUSE Linux	Unknown	10-May-2006
Symantec, Inc.	Unknown	10-May-2006
Syntegra	Not Vulnerable	15-Jun-2006
The SCO Group	Unknown	15-Jun-2006
The SCO Group (SCO Unix)	Unknown	28-May-2006
Trustix Secure Linux	Unknown	10-May-2006
Turbolinux	Unknown	10-May-2006
Ubuntu	Unknown	10-May-2006
Unisys	Unknown	10-May-2006
Watchguard Technologies, Inc.	Unknown	10-May-2006
Wind River Systems, Inc.	Unknown	10-May-2006
Yamaha Corporation	Not Vulnerable	14-Jun-2006
Yokogawa Electric Corporation	Not Vulnerable	14-Jun-2006
ZyXEL	Unknown	10-May-2006

References

http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc
http://www.sendmail.org/releases/8.13.7.html
http://www.sendmail.org/releases/8.13.7.html#RS
http://jvn.jp/cert/JVNVU%23146718/index.html
http://secunia.com/advisories/20473/
http://secunia.com/advisories/15779/
http://secunia.com/advisories/20641/
http://secunia.com/advisories/20673/
http://secunia.com/advisories/20650/
http://secunia.com/advisories/20654/
http://secunia.com/advisories/20651/
http://secunia.com/advisories/20683/

Credit

This vulnerability was reported by Sendmail.

This document was written by Jeff Gennari based on information from Sendmail.

Other Information

Date Public:	2006-06-14
Date First Published:	2006-06-15
Date Last Updated:	2006-10-03
CERT Advisory:
CVE-ID(s):	CVE-2006-1173
NVD-ID(s):	CVE-2006-1173
US-CERT Technical Alerts:
Metric:	13.51
Document Revision:	41

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader