__________________________________________________________ The U.S. Department of Energy Cyber Incident Response Capability __ __ __ ___ __ __ ___ ___ | \ | | |_ __ / | |__| / |__/ |__| |__ \___ __|__ | \ \___ __________________________________________________________ INFORMATION BULLETIN libspf2 DNS TXT Vulnerability [US-CERT Vulnerability Note VU#183657] November 6, 2008 14:00 GMT Number T-021 ______________________________________________________________________________ PROBLEM: libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records. An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. PLATFORM: libspf2 DAMAGE: Execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. This vulnerability could allow an ASSESSMENT: unauthenticated, remote attacker to execute arbitrary code on a system running libspf2. ______________________________________________________________________________ CVSS 2 BASE SCORE: 2.6 TEMPORAL SCORE: 2.0 VECTOR: (AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C) ______________________________________________________________________________ LINKS: DOE-CIRC BULLETIN: http://doecirc.energy.gov/ciac/bulletins/t-021.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/183657 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-2469 ______________________________________________________________________________ [***** Start US-CERT Vulnerability Note VU#183657 *****] Vulnerability Note VU#183657 libspf2 DNS TXT record parsing buffer overflow Overview libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records. I. Description libspf2 is a widely-deployed implementation of the Sender Policy Framework. According to RFC 4408: An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. Loosely, the record partitions all hosts into permitted and not-permitted sets (though some hosts might fall into neither category). libspf2 contins a buffer overflow in DNS TXT record parsing. According to Doxpara Research: DNS TXT records have long been a little tricky to parse, due to them containing two length fields. First, there is the length field of the record as a whole. Then, there is a sublength field, from 0 to 255, that describes the length of a particular character string inside the larger record. There is nothing that links the two values, and DNS servers to not themselves enforce sanity checks here. As such, there is always a risk that when receiving a DNS TXT record, the outer record length will be the amount allocated, but the inner length will be copied. This issue is similar to VU#814627 Sendmail vulnerable to buffer overflow when DNS map is specified using TXT records. II. Impact This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running libspf2. III. Solution Upgrade Vendors and those who directly use libspf2 should upgrade to version 1.2.8. Users that run a mail server or anti-spam products should consult their vendor for an appropriate patch. Systems Affected Vendor Status Date Notified Date Updated 3com, Inc. Unknown 2008-09-16 2008-09-16 ACCESS Unknown 2008-09-16 2008-09-16 Alcatel-Lucent Unknown 2008-09-16 2008-09-16 Apple Computer, Inc. Unknown 2008-09-16 2008-09-16 AT&T Unknown 2008-09-16 2008-09-16 Avaya, Inc. Unknown 2008-09-16 2008-09-16 Barracuda Networks Unknown 2008-09-16 2008-09-16 Belkin, Inc. Unknown 2008-09-16 2008-09-16 Bizanga Not Vulnerable 2008-09-17 2008-10-16 BlueCat Networks, Inc. Vulnerable 2008-09-18 2008-10-30 Borderware Technologies Unknown 2008-09-16 2008-09-16 Bro Unknown 2008-09-16 2008-09-16 Charlotte's Web Networks Unknown 2008-09-16 2008-09-16 Check Point Software Technologies Unknown 2008-09-16 2008-09-16 CIAC Unknown 2008-09-16 2008-09-16 Cisco Systems, Inc. Unknown 2008-09-16 2008-09-16 Clavister Unknown 2008-09-16 2008-09-16 Cloudmark Unknown 2008-09-23 2008-09-23 Computer Associates Unknown 2008-09-16 2008-09-16 Computer Associates eTrust Security Management Unknown 2008-09-16 2008-09-16 Conectiva Inc. Unknown 2008-09-16 2008-09-16 Cray Inc. Unknown 2008-09-16 2008-09-16 D-Link Systems, Inc. Unknown 2008-09-16 2008-09-16 Data Connection, Ltd. Unknown 2008-09-16 2008-09-16 Debian GNU/Linux Unknown 2008-09-16 2008-09-16 DragonFly BSD Project Unknown 2008-09-16 2008-09-16 Eland Systems Not Vulnerable 2008-09-17 2008-10-16 EMC Corporation Unknown 2008-09-16 2008-09-16 Engarde Secure Linux Unknown 2008-09-16 2008-09-16 Enterasys Networks Unknown 2008-09-16 2008-09-16 Ericsson Unknown 2008-09-16 2008-09-16 eSoft, Inc. Unknown 2008-09-16 2008-09-16 Extreme Networks Unknown 2008-09-16 2008-09-16 F5 Networks, Inc. Unknown 2008-09-16 2008-09-16 Fedora Project Unknown 2008-09-16 2008-09-16 Force10 Networks, Inc. Unknown 2008-09-16 2008-09-16 Fortinet, Inc. Unknown 2008-09-16 2008-09-16 Foundry Networks, Inc. Unknown 2008-09-16 2008-09-16 FreeBSD, Inc. Unknown 2008-09-16 2008-09-16 Fujitsu Unknown 2008-09-16 2008-09-16 Gentoo Linux Unknown 2008-09-16 2008-09-16 Global Technology Associates Unknown 2008-09-16 2008-09-16 Hewlett-Packard Company Unknown 2008-09-16 2008-09-16 Hitachi Unknown 2008-09-16 2008-09-16 IBM Corporation Unknown 2008-09-16 2008-09-16 IBM Corporation (zseries) Unknown 2008-09-16 2008-09-16 IBM eServer Unknown 2008-09-16 2008-09-16 Ingrian Networks, Inc. Unknown 2008-09-16 2008-09-16 Intel Corporation Unknown 2008-09-16 2008-09-16 Internet Security Systems, Inc. Unknown 2008-09-16 2008-09-16 Intoto Unknown 2008-09-16 2008-09-16 IP Filter Unknown 2008-09-16 2008-09-16 IP Infusion, Inc. Unknown 2008-09-16 2008-09-16 Juniper Networks, Inc. Unknown 2008-09-16 2008-09-16 Luminous Networks Unknown 2008-09-16 2008-09-16 m0n0wall Unknown 2008-09-16 2008-09-16 MailFoundry Not Vulnerable 2008-09-18 2008-10-23 Mandriva, Inc. Unknown 2008-09-16 2008-09-16 McAfee Vulnerable 2008-09-16 2008-10-16 Messaging Architects Unknown 2008-09-18 2008-09-18 Microsoft Corporation Unknown 2008-09-16 2008-09-16 Mirapoint, Inc. Unknown 2008-09-18 2008-09-18 MontaVista Software, Inc. Unknown 2008-09-16 2008-09-16 Multitech, Inc. Unknown 2008-09-16 2008-09-16 NEC Corporation Unknown 2008-09-16 2008-09-16 NetApp Unknown 2008-09-16 2008-09-16 NetBSD Unknown 2008-09-16 2008-09-16 netfilter Unknown 2008-09-16 2008-09-16 Nokia Unknown 2008-09-16 2008-09-16 Nortel Networks, Inc. Unknown 2008-09-16 2008-09-16 Novell, Inc. Unknown 2008-09-16 2008-09-16 OpenBSD Unknown 2008-09-16 2008-09-16 Openwall GNU/*/Linux Not Vulnerable 2008-09-16 2008-10-16 OpenWave Unknown 2008-09-19 2008-09-19 PePLink Unknown 2008-09-16 2008-09-16 Process Software Vulnerable 2008-09-16 2008-10-16 Proofpoint Not Vulnerable 2008-09-18 2008-10-16 Q1 Labs Unknown 2008-09-16 2008-09-16 QNX, Software Systems, Inc. Unknown 2008-09-16 2008-09-16 Quagga Unknown 2008-09-16 2008-09-16 RadWare, Inc. Unknown 2008-09-16 2008-09-16 Red Hat, Inc. Unknown 2008-09-16 2008-09-16 Redback Networks, Inc. Unknown 2008-09-16 2008-09-16 Roaring Penguin Software Inc. Not Vulnerable 2008-09-17 2008-10-16 SecPoint Vulnerable 2008-09-24 2008-10-16 Secure Computing Enterprise Security Division Unknown 2008-09-18 2008-09-18 Secure Computing Network Security Division Unknown 2008-09-16 2008-09-16 Securence Not Vulnerable 2008-09-19 2008-10-16 Secureworx, Inc. Unknown 2008-09-16 2008-09-16 Silicon Graphics, Inc. Unknown 2008-09-16 2008-09-16 Slackware Linux Inc. Unknown 2008-09-16 2008-09-16 SmoothWall Unknown 2008-09-16 2008-09-16 Snort Unknown 2008-09-16 2008-09-16 Soapstone Networks Unknown 2008-09-16 2008-09-16 Sony Corporation Unknown 2008-09-16 2008-09-16 Sourcefire Unknown 2008-09-16 2008-09-16 Stonesoft Unknown 2008-09-16 2008-09-16 Sun Microsystems, Inc. Not Vulnerable 2008-09-16 2008-10-16 SUSE Linux Not Vulnerable 2008-09-16 2008-10-16 Symantec, Inc. Not Vulnerable 2008-09-16 2008-10-30 The SCO Group Unknown 2008-09-16 2008-09-16 TippingPoint, Technologies, Inc. Unknown 2008-09-16 2008-09-16 Turbolinux Unknown 2008-09-16 2008-09-16 U4EA Technologies, Inc. Unknown 2008-09-16 2008-09-16 Ubuntu Unknown 2008-09-16 2008-09-16 Unisys Unknown 2008-09-16 2008-09-16 Vyatta Unknown 2008-09-16 2008-09-16 Watchguard Technologies, Inc. Unknown 2008-09-16 2008-09-16 Wind River Systems, Inc. Unknown 2008-09-16 2008-09-16 ZyXEL Unknown 2008-09-16 2008-09-16 References http://www.kb.cert.org/vuls/id/814627 http://www.ietf.org/rfc/rfc4408.txt http://www.doxpara.com/?page_id=1256 http://www.libspf2.org/docs/html/ Credit This issue was reported by Dan Kaminsky of Doxpara Research. This document was written by Chris Taschner. Other Information Date Public: 2008-10-21 Date First Published: 2008-10-30 Date Last Updated: 2008-10-30 CERT Advisory: CVE-ID(s): CVE-2008-2469 NVD-ID(s): CVE-2008-2469 US-CERT Technical Alerts: Metric: 9.00 Document Revision: 18 [***** End US-CERT Vulnerability Note VU#183657 *****] _______________________________________________________________________________ DOE-CIRC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin. _______________________________________________________________________________ DOE-CIRC provides the U.S. Department of Energy with incident response, reporting, and tracking, along with other computer security support. DOE-CIRC is a member of GFIRST, the Government Forum of Incident Responders and Security Teams and FIRST an international incident response and security organization. DOE-CIRC services are available to DOE and DOE contractors. DOE-CIRC can be contacted at: Voice: +1 866-941-2472 (7x24) FAX: +1 702-932-0189 STU-III: Call the voice number. E-mail: doecirc@doecirc.energy.gov Previous DOE-CIRC notices, anti-virus software, and other information are available from the DOE-CIRC Computer Security Archive. World Wide Web: http://www.doecirc.energy.gov/ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive DOE-CIRC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with DOE-CIRC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of originators expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof. LAST 10 DOE-CIRC Bulletins S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update