6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.887 High
EPSS
Percentile
98.7%
The Postfix SMTP server has a memory corruption error when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN.
The Postfix Advisory for CVE-2011-1720 states:
“The Postfix SMTP server fails to create a new Cyrus SASL server handle after authentication failure. This causes memory corruption when, for example, a client requests CRAM-MD5 authentication, fails to authenticate, and then invokes some other authentication mechanism except PLAIN (or ANONYMOUS if available). The likely outcome is that the Postfix SMTP server process crashes with a segmentation violation error (SIGSEGV, a.k.a. signal 11).”
…
“The memory corruption is known to result in a program crash (SIGSEV). Remote code execution cannot be excluded. Such code would execute as the unprivileged “postfix” user. This user has no control over processes that run with non-postfix privileges including Postfix processes running as root; the impact may be reduced with configurations that enable the Postfix chroot feature or that use platform-dependent privilege-reducing features.”
A remote attacker can cause a denial of service or possibly execute arbitrary code.
Apply an Update
This vulnerability has been fixed in Postfix stable versions 2.5.13, 2.6.10, 2.7.4, 2.8.3. Patches for Postfix version 1.1 and later can be obtained from the Postfix Download Site.
Workarounds
The following workaround is provided in the Postfix Advisory for CVE-2011-1720:
Disable Cyrus SASL authentication mechanisms for the Postfix SMTP server other than PLAIN and LOGIN. The mechanisms are specified in a Cyrus SASL smtpd.conf configuration file. This file may be found in /etc/postfix/sasl/, /var/lib/sasl2/, /etc/sasl2/, /usr/lib/sasl2/ or /usr/local/lib/sasl2/.
In this file, update the “mech_list:” entry and remove any methods other than PLAIN and LOGIN. For example, this configuration is not affected:
mech_list: PLAIN LOGIN
Execute the command “postfix reload” to make the change effective, then verify that the “port 25” and “port 587” services no longer announce other SASL mechanisms, as shown in the previous section.
727230
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 20, 2011 Updated: May 11, 2011
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: May 17, 2011
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: May 11, 2011
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: May 11, 2011
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: May 11, 2011
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: April 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 22, 2011 Updated: April 22, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: April 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: April 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: April 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: April 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: April 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: April 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 20, 2011 Updated: April 20, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 14 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Thomas Jarosch of Intra2net AG for reporting this vulnerability.
This document was written by Jared Allar.
CVE IDs: | CVE-2011-1720 |
---|---|
Severity Metric: | 1.87 Date Public: |