Software Engineering Institute

The Postfix Advisory for CVE-2011-1720 states:

"The Postfix SMTP server fails to create a new Cyrus SASL server handle after authentication failure. This causes memory corruption when, for example, a client requests CRAM-MD5 authentication, fails to authenticate, and then invokes some other authentication mechanism except PLAIN (or ANONYMOUS if available). The likely outcome is that the Postfix SMTP server process crashes with a segmentation violation error (SIGSEGV, a.k.a. signal 11)."
...
"The memory corruption is known to result in a program crash (SIGSEV). Remote code execution cannot be excluded. Such code would execute as the unprivileged "postfix" user. This user has no control over processes that run with non-postfix privileges including Postfix processes running as root; the impact may be reduced with configurations that enable the Postfix chroot feature or that use platform-dependent privilege-reducing features."

A remote attacker can cause a denial of service or possibly execute arbitrary code.

Apply an Update
This vulnerability has been fixed in Postfix stable versions 2.5.13, 2.6.10, 2.7.4, 2.8.3. Patches for Postfix version 1.1 and later can be obtained from the Postfix Download Site.

Workarounds

The following workaround is provided in the Postfix Advisory for CVE-2011-1720:

Disable Cyrus SASL authentication mechanisms for the Postfix SMTP server other than PLAIN and LOGIN. The mechanisms are specified in a Cyrus SASL smtpd.conf configuration file. This file may be found in /etc/postfix/sasl/, /var/lib/sasl2/, /etc/sasl2/, /usr/lib/sasl2/ or /usr/local/lib/sasl2/.

In this file, update the "mech_list:" entry and remove any methods other than PLAIN and LOGIN. For example, this configuration is not affected:

mech_list: PLAIN LOGIN

Execute the command "postfix reload" to make the change effective, then verify that the "port 25" and "port 587" services no longer announce other SASL mechanisms, as shown in the previous section.