search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Postfix SMTP server Cyrus SASL support contains a memory corruption vulnerability

Vulnerability Note VU#727230

Original Release Date: 2011-05-11 | Last Revised: 2011-05-17

Overview

The Postfix SMTP server has a memory corruption error when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN.

Description

The Postfix Advisory for CVE-2011-1720 states:

"The Postfix SMTP server fails to create a new Cyrus SASL server handle after authentication failure. This causes memory corruption when, for example, a client requests CRAM-MD5 authentication, fails to authenticate, and then invokes some other authentication mechanism except PLAIN (or ANONYMOUS if available). The likely outcome is that the Postfix SMTP server process crashes with a segmentation violation error (SIGSEGV, a.k.a. signal 11)."
...
"The memory corruption is known to result in a program crash (SIGSEV). Remote code execution cannot be excluded. Such code would execute as the unprivileged "postfix" user. This user has no control over processes that run with non-postfix privileges including Postfix processes running as root; the impact may be reduced with configurations that enable the Postfix chroot feature or that use platform-dependent privilege-reducing features."

Impact

A remote attacker can cause a denial of service or possibly execute arbitrary code.

Solution

Apply an Update
This vulnerability has been fixed in Postfix stable versions 2.5.13, 2.6.10, 2.7.4, 2.8.3. Patches for Postfix version 1.1 and later can be obtained from the Postfix Download Site.

Workarounds


The following workaround is provided in the Postfix Advisory for CVE-2011-1720:

Disable Cyrus SASL authentication mechanisms for the Postfix SMTP server other than PLAIN and LOGIN. The mechanisms are specified in a Cyrus SASL smtpd.conf configuration file. This file may be found in /etc/postfix/sasl/, /var/lib/sasl2/, /etc/sasl2/, /usr/lib/sasl2/ or /usr/local/lib/sasl2/.

In this file, update the "mech_list:" entry and remove any methods other than PLAIN and LOGIN. For example, this configuration is not affected:

mech_list: PLAIN LOGIN

Execute the command "postfix reload" to make the change effective, then verify that the "port 25" and "port 587" services no longer announce other SASL mechanisms, as shown in the previous section.

Vendor Information

727230
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  April 20, 2011 Updated:  May 11, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Mandriva S. A.

Notified:  April 20, 2011 Updated:  May 17, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Red Hat, Inc.

Notified:  April 20, 2011 Updated:  May 11, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

SUSE Linux

Notified:  April 20, 2011 Updated:  May 11, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu

Notified:  April 20, 2011 Updated:  May 11, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Apple Inc.

Notified:  April 20, 2011 Updated:  April 20, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CentOS

Notified:  April 22, 2011 Updated:  April 22, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project

Notified:  April 20, 2011 Updated:  April 20, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux

Notified:  April 20, 2011 Updated:  April 20, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD

Notified:  April 20, 2011 Updated:  April 20, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD

Notified:  April 20, 2011 Updated:  April 20, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation

Notified:  April 20, 2011 Updated:  April 20, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc.

Notified:  April 20, 2011 Updated:  April 20, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Symantec

Notified:  April 20, 2011 Updated:  April 20, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 14 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Thomas Jarosch of Intra2net AG for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2011-1720
Severity Metric: 1.87
Date Public: 2011-05-09
Date First Published: 2011-05-11
Date Last Updated: 2011-05-17 11:52 UTC
Document Revision: 16

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.