CERT/CC Vulnerability Note VU#183657

Overview

libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records.

Description

libspf2 is a widely-deployed implementation of the Sender Policy Framework. According to RFC 4408:

An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. Loosely, the record partitions all hosts into permitted and not-permitted sets (though some hosts might fall into neither category).

libspf2 contins a buffer overflow in DNS TXT record parsing. According to Doxpara Research:

DNS TXT records have long been a little tricky to parse, due to them containing two length fields. First, there is the length field of the record as a whole. Then, there is a sublength field, from 0 to 255, that describes the length of a particular character string inside the larger record. There is nothing that links the two values, and DNS servers to not themselves enforce sanity checks here. As such, there is always a risk that when receiving a DNS TXT record, the outer record length will be the amount allocated, but the inner length will be copied.

This issue is similar to VU#814627 "Sendmail vulnerable to buffer overflow when DNS map is specified using TXT records."

Impact

This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running libspf2.

Solution

Upgrade
Vendors and those who directly use libspf2 should upgrade to version 1.2.8.

Users that run a mail server or anti-spam products should consult their vendor for an appropriate patch.

Vendor Information

183657

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

BlueCat Networks, Inc. Affected

McAfee Affected

Process Software Affected

SecPoint Affected

Bizanga Not Affected

Cisco Systems, Inc. Not Affected

Eland Systems Not Affected

Extreme Networks Not Affected

Force10 Networks, Inc. Not Affected

MailFoundry Not Affected

Openwall GNU/*/Linux Not Affected

Proofpoint Not Affected

Roaring Penguin Software Inc. Not Affected

SUSE Linux Not Affected

Securence Not Affected

Sun Microsystems, Inc. Not Affected

Symantec, Inc. Not Affected

3com, Inc. Unknown

ACCESS Unknown

AT&T Unknown

Alcatel-Lucent Unknown

Apple Computer, Inc. Unknown

Avaya, Inc. Unknown

Barracuda Networks Unknown

Belkin, Inc. Unknown

Borderware Technologies Unknown

Bro Unknown

CIAC Unknown

Charlotte's Web Networks Unknown

Check Point Software Technologies Unknown

Clavister Unknown

Cloudmark Unknown

Computer Associates Unknown

Computer Associates eTrust Security Management Unknown

Conectiva Inc. Unknown

Cray Inc. Unknown

D-Link Systems, Inc. Unknown

Data Connection, Ltd. Unknown

Debian GNU/Linux Unknown

DragonFly BSD Project Unknown

EMC Corporation Unknown

Engarde Secure Linux Unknown

Enterasys Networks Unknown

Ericsson Unknown

F5 Networks, Inc. Unknown

Fedora Project Unknown

Fortinet, Inc. Unknown

Foundry Networks, Inc. Unknown

FreeBSD, Inc. Unknown

Fujitsu Unknown

Gentoo Linux Unknown

Global Technology Associates Unknown

Hewlett-Packard Company Unknown

Hitachi Unknown

IBM Corporation Unknown

IBM Corporation (zseries) Unknown

IBM eServer Unknown

IP Filter Unknown

IP Infusion, Inc. Unknown

Ingrian Networks, Inc. Unknown

Intel Corporation Unknown

Internet Security Systems, Inc. Unknown

Intoto Unknown

Juniper Networks, Inc. Unknown

Luminous Networks Unknown

Mandriva, Inc. Unknown

Messaging Architects Unknown

Microsoft Corporation Unknown

Mirapoint, Inc. Unknown

MontaVista Software, Inc. Unknown

Multitech, Inc. Unknown

NEC Corporation Unknown

NetApp Unknown

NetBSD Unknown

Nokia Unknown

Nortel Networks, Inc. Unknown

Novell, Inc. Unknown

OpenBSD Unknown

OpenWave Unknown

PePLink Unknown

Q1 Labs Unknown

QNX, Software Systems, Inc. Unknown

Quagga Unknown

RadWare, Inc. Unknown

Red Hat, Inc. Unknown

Redback Networks, Inc. Unknown

Secure Computing Enterprise Security Division Unknown

Secure Computing Network Security Division Unknown

Secureworx, Inc. Unknown

Silicon Graphics, Inc. Unknown

Slackware Linux Inc. Unknown

SmoothWall Unknown

Snort Unknown

Soapstone Networks Unknown

Sony Corporation Unknown

Sourcefire Unknown

Stonesoft Unknown

The SCO Group Unknown

TippingPoint, Technologies, Inc. Unknown

Turbolinux Unknown

U4EA Technologies, Inc. Unknown

Ubuntu Unknown

Unisys Unknown

Vyatta Unknown

Watchguard Technologies, Inc. Unknown

Wind River Systems, Inc. Unknown

ZyXEL Unknown

eSoft, Inc. Unknown

m0n0wall Unknown

netfilter Unknown

View all 110 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

This issue was reported by Dan Kaminsky of Doxpara Research.

This document was written by Chris Taschner.

Other Information

CVE IDs:	CVE-2008-2469
Severity Metric:	9.00
Date Public:	2008-10-21
Date First Published:	2008-10-30
Date Last Updated:	2011-07-22 12:49 UTC
Document Revision:	24

Software Engineering Institute

CERT Coordination Center

libspf2 DNS TXT record parsing buffer overflow

Vulnerability Note VU#183657