search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Cyrus SASL library buffer overflow vulnerability

Vulnerability Note VU#238019

Original Release Date: 2009-05-14 | Last Revised: 2009-08-26

Overview

The Cyrus SASL library contains a buffer overflow vulnerability that could allow an attacker to execute code or cause a vulnerable program to crash.

Description

SASL (Simple Authentication and Security Layer) is a method for adding authentication support to various protocols. SASL is commonly used by mail servers to request authentication from clients and by clients to authenticate to servers.

The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function.

Impact

A remote attacker might be able to execute code, or cause any programs relying on SASL to crash or be unavailable.

Solution

Upgrade
Cyrus SASL 2.1.23 has been released to address this issue. Before releasing fixed binaries, maintainers are encouraged to review the Cyrus vendor statement associated with this note.

Vendor Information

238019
 
Affected   Unknown   Unaffected

Apple Inc.

Updated:  August 26, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cyrus-IMAP

Updated:  May 13, 2009

Statement Date:   May 12, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation:

/* base64 encode
* in -- input data
* inlen -- input data length
* out -- output buffer (will be NUL terminated)
* outmax -- max size of output buffer
* result:
* outlen -- gets actual length of output buffer (optional)
*
* Returns SASL_OK on success, SASL_BUFOVER if result won't fit
*/
LIBSASL_API int sasl_encode64(const char *in, unsigned inlen,
char *out, unsigned outmax,
unsigned *outlen);

Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the
buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable.

Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER.

Gentoo Linux

Notified:  April 28, 2009 Updated:  May 20, 2009

Statement Date:   May 20, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

Red Hat, Inc.

Notified:  April 28, 2009 Updated:  May 14, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  April 28, 2009 Updated:  May 14, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group

Notified:  April 28, 2009 Updated:  May 15, 2009

Statement Date:   May 15, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SafeNet

Notified:  May 13, 2009 Updated:  June 15, 2009

Statement Date:   June 09, 2009

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc.

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc.

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  May 18, 2009 Updated:  May 18, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A.

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc.

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc.

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu

Notified:  April 28, 2009 Updated:  April 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 25 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to James Ralston for reporting this issue and providing technical information.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2009-0688
Severity Metric: 4.04
Date Public: 2009-04-08
Date First Published: 2009-05-14
Date Last Updated: 2009-08-26 13:19 UTC
Document Revision: 24

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.