===================================================================== CERT-Renater Note d'Information No. 2006/VULN337 _____________________________________________________________________ DATE : 15/06/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Sendmail. ====================================================================== ============================================================================= Sendmail-SA-200605-01 Security Advisory Sendmail, Inc. Topic: Deeply nested malformed MIME denial of service attack Class: Remote Denial of Service Severity: Low Announced: 2006-06-14 09:00 PDT Credits: Frank Sheiness Affects: Sendmail Switch 3.2.0 Sendmail Switch for Windows 3.1.3 and earlier Sendmail Switch 3.1.8 and earlier Intelligent Quarantine 3.0 (includes Switch) Sendmail Advanced Message Store (SAMS) (includes Switch) Sendmail Sentrion 1.5.1 and earlier Mailstream Gatekeeper (includes Sentrion OS) Mailstream Governor (includes Sentrion OS) Sendmail Pro all versions Resolved: Sendmail Switch 3.2.1 Sendmail Switch for Windows 3.1.4 Sendmail Switch 3.1.9 Sendmail Sentrion 1.5.2 For general information regarding Sendmail, Inc. Security Advisories, including descriptions of the fields above, other security advisories, and the following sections, please visit . I. Background Sendmail Switch and the Sendmail Sentrion appliances include the sendmail MTA which is used to route mail into and out from an organization using SMTP. The MTA supports MIME 8-bit to 7-bit conversion when talking to remote MTAs which do not support 8-bit MIME. This conversion routine is also used to enforce the MaxMimeHeaderLength option which protects users from buffer overflows in older versions of mail user agents. Note that the open source and vendor versions of the sendmail MTA are also affected but this advisory only covers the commercial products. For the open source version, please see the open source URL in the Reference section below. For third party vendor versions, please contact your vendor. II. Problem Description During message delivery, certain deeply nested malformed MIME messages can cause the MIME 8-bit to 7-bit conversion routine to exhaust the per-process stack space memory available and cause that process to abort. Depending on system configuration, this may also cause a core dump for that process to be written to disk. To the best of our knowledge, this type of attack is not currently in use and the problem was found through a report of an isolated and unintentional incident. That said, the information contained in this advisory is now generally known and there may be a higher likelihood of occurrence. Therefore, Sendmail recommends that you take immediate action. III. Impact The process which exits abnormally is not the server process and will not cause your system to stop accepting connections, but there are two problems which can occur due to this bug: 1. If your system writes uniquely named core dump files per process, there is the potential for disk space to be filled with core dumps. 2. A deeply nested malformed MIME message in the queue will cause queue runs to abort when trying to process the message. This can prevent delivery attempts on other queued messages. IV. Workaround If you are unable to immediately install the patch described in the Solution section below or there is not a patch available for your version, you can protect your system by using one of these workarounds: 1. The Sendmail Consortium is releasing an open source mail filter for UNIX systems which blocks messages that may trigger this problem. For more information on this filter, please see the Sendmail Knowledge Base article referenced below. 2. If your operating system limits stack size, remove that limit for sendmail's startup. This will make the attack more difficult to accomplish, as it will require a very large message. Also, by limiting the maximum message size accepted by your server (via the sendmail MaxMessageSize option), you can eliminate the attack completely. To remove the stack size limit, use one of the following commands in your sendmail startup script (by placing the command in the startup script, only sendmail should be affected): ulimit -s unlimited (sh, bash, ksh) limit stacksize unlimited (csh, tcsh, zsh) For more information on adjusting stack size limits, please see the Sendmail Knowledge Base article referenced below. 3. Configure your MTA to avoid the negative impacts listed above: a. Turn off core dumps for sendmail using one of the following commands in your sendmail startup script (by placing the command in the startup script, only sendmail should be affected): ulimit -c 0 (sh, bash, ksh) limit coredumpsize 0 (csh, tcsh, zsh) For more information on turning off core dumps, please see the Sendmail Knowledge Base article referenced below. b. To prevent queued jobs from being ignored, you can either: * Enable the ForkEachJob option at the cost of lower queue run performance and potentially a high number of processes (one per queued item), or * Set QueueSortOrder to random, which will randomize the order jobs are processed. Note that with random queue sorting, the bad message will still be processed and the queue run aborted every time, but at a different, random spot. For more information on changing queue run behavior, please see the Sendmail Knowledge Base article referenced below. V. Solution Sendmail, Inc. has released patches for Sendmail Switch versions 3.1 and 3.2, Sendmail Switch for Windows 3.1, and for Sendmail Sentrion version 1.5. Those patches are available to supported customers on their download site at: https://www.sendmail.com/customerlogin/ If you are unable to use the download site or need the Switch 3.1.9 patch, you can also download it from our ftp site at: ftp://ftp.sendmail.com/patch/ Refer to the README included with each patch for installation instructions. The available patches are: MD5 (smswitch-patch-3.1.9-Linux.tar.gz) = 7d266b9b43d17daa3be3dbe7166ff9f9 MD5 (smswitch-patch-3.1.9-Solaris8.tar.Z) = a62a0aef50c561e45a5402a0acd3639a MD5 (smswitch-patch-3.2.1-Linux.tar.gz) = 30db674de1e29c3fe9f4e81ff8a260f8 MD5 (smswitch-patch-3.2.1-Solaris8.tar.Z) = 8aa905dfe49d2d68d643695c44410d76 MD5 (smswitch-patch-3.1.4-Windows.zip) = d863292580b89a704b0692a4d8a6e481 MD5 (SentriOS-152-867.tar) = f1cf9c8406bce0a2fd0d491691a26366 Unsupported customers or those running older product versions should employ one of the workarounds listed above. VI. References Japanese Translation -------------------- http://www.sendmail.com/jp/advisory/ SA-200605-01 Frequently Asked Questions --------------------------------------- http://www.sendmail.com/security/advisories/SA-200605-01/faq.shtml Sendmail Knowledge Base Articles -------------------------------- Using malformed MIME workaround filter on Switch or Sentrion https://www.sendmail.com/cfusion/CFIDE/kb_doc.cfm?kb_id=S10808 Changing stack size and core dump options on Switch/Sentrion https://www.sendmail.com/cfusion/CFIDE/kb_doc.cfm?kb_id=S10805 Limiting maximum message size on Switch or Sentrion https://www.sendmail.com/cfusion/CFIDE/kb_doc.cfm?kb_id=S10807 Changing queue run behavior on Switch or Sentrion https://www.sendmail.com/cfusion/CFIDE/kb_doc.cfm?kb_id=S10806 Sendmail Open Source Information -------------------------------- http://www.sendmail.org/releases/8.13.7.html External Links -------------- CERT: http://www.kb.cert.org/vuls/id/146718 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173 ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================