search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Fail2ban postfix and cyrus-imap filters contain denial-of-service vulnerabilities

Vulnerability Note VU#686662

Original Release Date: 2014-01-28 | Last Revised: 2014-01-28

Overview

Fail2ban versions prior to 0.8.11 are susceptible to a denial-of-service attack when a maliciously crafted email address is parsed by the postfix or cyrus-imap filters. If users have not deployed either of these filters then they are not affected.

Description

Fail2ban versions prior to 0.8.11 are susceptible to a denial-of-service attack when a maliciously crafted email address is parsed by the postfix or cyrus-imap filters. An attacker can cause arbitrary IP addresses to be blocked by fail2ban.

CVE-2013-7177: cyrus-imap
https://github.com/fail2ban/fail2ban/commit/bd175f026737d66e7110868fb50b3760ff75e087

CVE-2013-7176: postfix
https://github.com/fail2ban/fail2ban/commit/eb2f0c927257120dfc32d2450fd63f1962f38821

Impact

A remote unauthenticated attacker may cause arbitrary IP addresses to be blocked by Fail2ban causing legitimate users to be blocked from accessing services protected by Fail2ban.

Solution

Apply an Update

Fail2Ban 0.8.11 addresses these vulnerabilities. Users are advised to upgrade to Fail2ban 0.8.11 or later.

Vendor Information

686662
 
Affected   Unknown   Unaffected

Fail2ban

Updated:  January 23, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C
Temporal 6.4 E:F/RL:OF/RC:C
Environmental 4.8 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Steven Hiscocks for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2013-7176, CVE-2013-7177
Date Public: 2014-01-20
Date First Published: 2014-01-28
Date Last Updated: 2014-01-28 15:09 UTC
Document Revision: 13

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.