Postfix SMTP Server Cyrus SASL supports Memory Corruption Vulnerability

Release date:
Updated on:

Affected Systems:
Wietse Venema Postfix 2.x
Ubuntu Linux 8.x
Ubuntu Linux 6.x
Ubuntu Linux 11.x
Ubuntu Linux 10.x
Unaffected system:
Wietse Venema Postfix 2.8.3
Wietse Venema Postfix 2.7.4
Wietse Venema Postfix 2.6.10
Wietse Venema Postfix 2.5.13
Description:
--------------------------------------------------------------------------------
Bugtraq id: 47778
Cve id: CVE-2011-1720

Postfix is the mail Transmission proxy used in Unix operating systems.

The Postfix SMTP Server has the Cyrus SASL support Memory Corruption Vulnerability. When Cyrus SASL support is enabled, the SMTP Server can be affected. Remote attackers can exploit this vulnerability to execute arbitrary code or cause DOS.

When SASL authentication is enabled, the Postfix SMTP Server creates a SASL handle for each SMTP session, which will be used until the SMTP connection is closed. According to the comments of the Cyrus SASL include source file, the server should not re-use the Cyrus SASL server after the client verification fails, but should create a new Cyrus SASL server handle containing the mechanism list. However, the Postfix SMTP Server does not create a new Cyrus SASL Server handle after the verification fails, resulting in DOS.

<* Source: Wietse Venema

Link: http://www.securityfocus.com/archive/1/517917
*>

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

* Disable the Cyrus SASL authentication mechanism for Postfix SMTP instead of PLAIN and LOGIN.

Vendor patch:

Wietse Venema
-------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.postfix.org/