Vulnerability Note VU#993452
Sendmail fails to appropriately initialize data structures for DNS maps
There is an uninitialized data structure in sendmail 8.12.(x < 9) servers configured to use DNS maps. An attacker able to send crafted DNS responses to affected sendmail servers may be able crash the sendmail daemon, or potentially execute arbitrary code.
DNS maps are used in sendmail to provide a capability to dynamically look up information about a host before accepting mail from it. For example, a DNS request can be made to some site-specific authoritative source to determine whether the source of some message has previously been identified as a spam relay.
A failure to initialize RESOURCE_RECORD_T data structures in sendmail's implementation of DNS maps may lead to portions of memory in the sendmail process being freed in error. The error is in the dns_parse_reply() function in sm_resolve.c (patched):
A remote attacker may be able to cause sendmail to free() arbitrary chunks of memory. This could crash affected sendmail daemons, causing a denial of service. If an area of memory being freed is under the control of the intruder, remote execution of code with the privileges of the running daemon may be possible.
Apply patches as recommended by an appropriate vendor or upgrade to sendmail 8.12.9.
In addition, disabling features in sendmail that use DNS maps will also remove one necessary precondition needed to exploit this vulnerability (e.g., disable FEATURE(`enhdnsbl') == "enhanced DNS-based blacklist lookups") .
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|FreeBSD||Affected||-||26 Aug 2003|
|MandrakeSoft||Affected||-||26 Aug 2003|
|OpenBSD||Affected||-||28 Aug 2003|
|OpenPKG||Affected||-||28 Aug 2003|
|Sendmail||Affected||-||25 Aug 2003|
|SGI||Affected||-||25 Aug 2003|
|SuSE Inc.||Affected||-||26 Aug 2003|
|Cray Inc.||Unknown||26 Aug 2003||26 Aug 2003|
|NetBSD||Unknown||-||25 Aug 2003|
CVSS Metrics (Learn More)
- VU#814627.">This issue is distinct from the one disccused in VU#814627.
Oleg Bulyzhin has been credited to reporting this vulnerability to FreeBSD. The issue was also reported to Sendmail by Maurice Makaay.
This document was written by Jeffrey S. Havrilla.
- CVE IDs: CAN-2003-0688
- Date Public: 11 Jul 2003
- Date First Published: 25 Aug 2003
- Date Last Updated: 30 Dec 2003
- Severity Metric: 15.75
- Document Revision: 20
If you have feedback, comments, or additional information about this vulnerability, please send us email.