Vulnerability Note VU#727230

Postfix SMTP server Cyrus SASL support contains a memory corruption vulnerability

Original Release date: 11 May 2011 | Last revised: 17 May 2011

Overview

The Postfix SMTP server has a memory corruption error when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN.

Description

The Postfix Advisory for CVE-2011-1720 states:

"The Postfix SMTP server fails to create a new Cyrus SASL server handle after authentication failure. This causes memory corruption when, for example, a client requests CRAM-MD5 authentication, fails to authenticate, and then invokes some other authentication mechanism except PLAIN (or ANONYMOUS if available). The likely outcome is that the Postfix SMTP server process crashes with a segmentation violation error (SIGSEGV, a.k.a. signal 11)."
...
"The memory corruption is known to result in a program crash (SIGSEV). Remote code execution cannot be excluded. Such code would execute as the unprivileged "postfix" user. This user has no control over processes that run with non-postfix privileges including Postfix processes running as root; the impact may be reduced with configurations that enable the Postfix chroot feature or that use platform-dependent privilege-reducing features."

Impact

A remote attacker can cause a denial of service or possibly execute arbitrary code.

Solution

Apply an Update
This vulnerability has been fixed in Postfix stable versions 2.5.13, 2.6.10, 2.7.4, 2.8.3. Patches for Postfix version 1.1 and later can be obtained from the Postfix Download Site.

Workarounds


The following workaround is provided in the Postfix Advisory for CVE-2011-1720:

Disable Cyrus SASL authentication mechanisms for the Postfix SMTP server other than PLAIN and LOGIN. The mechanisms are specified in a Cyrus SASL smtpd.conf configuration file. This file may be found in /etc/postfix/sasl/, /var/lib/sasl2/, /etc/sasl2/, /usr/lib/sasl2/ or /usr/local/lib/sasl2/.

In this file, update the "mech_list:" entry and remove any methods other than PLAIN and LOGIN. For example, this configuration is not affected:

mech_list: PLAIN LOGIN

Execute the command "postfix reload" to make the change effective, then verify that the "port 25" and "port 587" services no longer announce other SASL mechanisms, as shown in the previous section.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected20 Apr 201111 May 2011
Mandriva S. A.Affected20 Apr 201117 May 2011
Red Hat, Inc.Affected20 Apr 201111 May 2011
SUSE LinuxAffected20 Apr 201111 May 2011
UbuntuAffected20 Apr 201111 May 2011
Apple Inc.Unknown20 Apr 201120 Apr 2011
CentOSUnknown22 Apr 201122 Apr 2011
FreeBSD ProjectUnknown20 Apr 201120 Apr 2011
Gentoo LinuxUnknown20 Apr 201120 Apr 2011
NetBSDUnknown20 Apr 201120 Apr 2011
OpenBSDUnknown20 Apr 201120 Apr 2011
Oracle CorporationUnknown20 Apr 201120 Apr 2011
Slackware Linux Inc.Unknown20 Apr 201120 Apr 2011
SymantecUnknown20 Apr 201120 Apr 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Thomas Jarosch of Intra2net AG for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2011-1720
  • Date Public: 09 May 2011
  • Date First Published: 11 May 2011
  • Date Last Updated: 17 May 2011
  • Severity Metric: 1.87
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.