SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#183657

libspf2 DNS TXT record parsing buffer overflow

Overview

libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records.

I. Description

libspf2 is a widely-deployed implementation of the Sender Policy Framework. According to RFC 4408:

    An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. Loosely, the record partitions all hosts into permitted and not-permitted sets (though some hosts might fall into neither category).

libspf2 contins a buffer overflow in DNS TXT record parsing. According to Doxpara Research:
    DNS TXT records have long been a little tricky to parse, due to them containing two length fields. First, there is the length field of the record as a whole. Then, there is a sublength field, from 0 to 255, that describes the length of a particular character string inside the larger record. There is nothing that links the two values, and DNS servers to not themselves enforce sanity checks here. As such, there is always a risk that when receiving a DNS TXT record, the outer record length will be the amount allocated, but the inner length will be copied.
This issue is similar to VU#814627 "Sendmail vulnerable to buffer overflow when DNS map is specified using TXT records."

II. Impact

This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running libspf2.

III. Solution

Upgrade

Vendors and those who directly use libspf2 should upgrade to version 1.2.8.

Users that run a mail server or anti-spam products should consult their vendor for an appropriate patch.

Systems Affected

VendorStatusDate NotifiedDate Updated
3com, Inc.Unknown2008-09-162008-09-16
ACCESSUnknown2008-09-162008-09-16
Alcatel-LucentUnknown2008-09-162008-09-16
Apple Computer, Inc.Unknown2008-09-162008-09-16
AT&TUnknown2008-09-162008-09-16
Avaya, Inc.Unknown2008-09-162008-09-16
Barracuda NetworksUnknown2008-09-162008-09-16
Belkin, Inc.Unknown2008-09-162008-09-16
BizangaNot Vulnerable2008-09-172008-10-16
BlueCat Networks, Inc.Vulnerable2008-09-182008-10-30
Borderware TechnologiesUnknown2008-09-162008-09-16
BroUnknown2008-09-162008-09-16
Charlotte's Web NetworksUnknown2008-09-162008-09-16
Check Point Software TechnologiesUnknown2008-09-162008-09-16
CIACUnknown2008-09-162008-09-16
Cisco Systems, Inc.Not Vulnerable2008-09-162008-11-07
ClavisterUnknown2008-09-162008-09-16
CloudmarkUnknown2008-09-232008-09-23
Computer AssociatesUnknown2008-09-162008-09-16
Computer Associates eTrust Security ManagementUnknown2008-09-162008-09-16
Conectiva Inc.Unknown2008-09-162008-09-16
Cray Inc.Unknown2008-09-162008-09-16
D-Link Systems, Inc.Unknown2008-09-162008-09-16
Data Connection, Ltd.Unknown2008-09-162008-09-16
Debian GNU/LinuxUnknown2008-09-162008-09-16
DragonFly BSD ProjectUnknown2008-09-162008-09-16
Eland SystemsNot Vulnerable2008-09-172008-10-16
EMC CorporationUnknown2008-09-162008-09-16
Engarde Secure LinuxUnknown2008-09-162008-09-16
Enterasys NetworksUnknown2008-09-162008-09-16
EricssonUnknown2008-09-162008-09-16
eSoft, Inc.Unknown2008-09-162008-09-16
Extreme NetworksNot Vulnerable2008-09-162009-04-30
F5 Networks, Inc.Unknown2008-09-162008-09-16
Fedora ProjectUnknown2008-09-162008-09-16
Force10 Networks, Inc.Unknown2008-09-162008-09-16
Fortinet, Inc.Unknown2008-09-162008-09-16
Foundry Networks, Inc.Unknown2008-09-162008-09-16
FreeBSD, Inc.Unknown2008-09-162008-09-16
FujitsuUnknown2008-09-162008-09-16
Gentoo LinuxUnknown2008-09-162008-09-16
Global Technology AssociatesUnknown2008-09-162008-09-16
Hewlett-Packard CompanyUnknown2008-09-162008-09-16
HitachiUnknown2008-09-162008-09-16
IBM CorporationUnknown2008-09-162008-09-16
IBM Corporation (zseries)Unknown2008-09-162008-09-16
IBM eServerUnknown2008-09-162008-09-16
Ingrian Networks, Inc.Unknown2008-09-162008-09-16
Intel CorporationUnknown2008-09-162008-09-16
Internet Security Systems, Inc.Unknown2008-09-162008-09-16
IntotoUnknown2008-09-162008-09-16
IP FilterUnknown2008-09-162008-09-16
IP Infusion, Inc.Unknown2008-09-162008-09-16
Juniper Networks, Inc.Unknown2008-09-162008-09-16
Luminous NetworksUnknown2008-09-162008-09-16
m0n0wallUnknown2008-09-162008-09-16
MailFoundryNot Vulnerable2008-09-182008-10-23
Mandriva, Inc.Unknown2008-09-162008-09-16
McAfeeVulnerable2008-09-162008-10-16
Messaging ArchitectsUnknown2008-09-182008-09-18
Microsoft CorporationUnknown2008-09-162008-09-16
Mirapoint, Inc.Unknown2008-09-182008-09-18
MontaVista Software, Inc.Unknown2008-09-162008-09-16
Multitech, Inc.Unknown2008-09-162008-09-16
NEC CorporationUnknown2008-09-162008-09-16
NetAppUnknown2008-09-162008-09-16
NetBSDUnknown2008-09-162008-09-16
netfilterUnknown2008-09-162008-09-16
NokiaUnknown2008-09-162008-09-16
Nortel Networks, Inc.Unknown2008-09-162008-09-16
Novell, Inc.Unknown2008-09-162008-09-16
OpenBSDUnknown2008-09-162008-09-16
Openwall GNU/*/LinuxNot Vulnerable2008-09-162008-10-16
OpenWaveUnknown2008-09-192008-09-19
PePLinkUnknown2008-09-162008-09-16
Process SoftwareVulnerable2008-09-162008-10-16
ProofpointNot Vulnerable2008-09-182008-10-16
Q1 LabsUnknown2008-09-162008-09-16
QNX, Software Systems, Inc.Unknown2008-09-162008-09-16
QuaggaUnknown2008-09-162008-09-16
RadWare, Inc.Unknown2008-09-162008-09-16
Red Hat, Inc.Unknown2008-09-162008-09-16
Redback Networks, Inc.Unknown2008-09-162008-09-16
Roaring Penguin Software Inc.Not Vulnerable2008-09-172008-10-16
SecPointVulnerable2008-09-242008-10-16
Secure Computing Enterprise Security DivisionUnknown2008-09-182008-09-18
Secure Computing Network Security DivisionUnknown2008-09-162008-09-16
SecurenceNot Vulnerable2008-09-192008-10-16
Secureworx, Inc.Unknown2008-09-162008-09-16
Silicon Graphics, Inc.Unknown2008-09-162008-09-16
Slackware Linux Inc.Unknown2008-09-162008-09-16
SmoothWallUnknown2008-09-162008-09-16
SnortUnknown2008-09-162008-09-16
Soapstone NetworksUnknown2008-09-162008-09-16
Sony CorporationUnknown2008-09-162008-09-16
SourcefireUnknown2008-09-162008-09-16
StonesoftUnknown2008-09-162008-09-16
Sun Microsystems, Inc.Not Vulnerable2008-09-162008-10-16
SUSE LinuxNot Vulnerable2008-09-162008-10-16
Symantec, Inc.Not Vulnerable2008-09-162008-10-30
The SCO GroupUnknown2008-09-162008-09-16
TippingPoint, Technologies, Inc.Unknown2008-09-162008-09-16
TurbolinuxUnknown2008-09-162008-09-16
U4EA Technologies, Inc.Unknown2008-09-162008-09-16
UbuntuUnknown2008-09-162008-09-16
UnisysUnknown2008-09-162008-09-16
VyattaUnknown2008-09-162008-09-16
Watchguard Technologies, Inc.Unknown2008-09-162008-09-16
Wind River Systems, Inc.Unknown2008-09-162008-09-16
ZyXELUnknown2008-09-162008-09-16

References

http://www.kb.cert.org/vuls/id/814627
http://www.ietf.org/rfc/rfc4408.txt
http://www.doxpara.com/?page_id=1256
http://www.libspf2.org/docs/html/

Credit

This issue was reported by Dan Kaminsky of Doxpara Research.

This document was written by Chris Taschner.

Other Information

Date Public:2008-10-21
Date First Published:2008-10-30
Date Last Updated:2009-04-30
CERT Advisory: 
CVE-ID(s):CVE-2008-2469
NVD-ID(s):CVE-2008-2469
US-CERT Technical Alerts: 
Metric:9.00
Document Revision:22

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader