search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Cyrus SASL library buffer overflow vulnerability

Vulnerability Note VU#238019

Original Release Date: 2009-05-14 | Last Revised: 2009-08-26

Overview

The Cyrus SASL library contains a buffer overflow vulnerability that could allow an attacker to execute code or cause a vulnerable program to crash.

Description

SASL (Simple Authentication and Security Layer) is a method for adding authentication support to various protocols. SASL is commonly used by mail servers to request authentication from clients and by clients to authenticate to servers.

The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function.

Impact

A remote attacker might be able to execute code, or cause any programs relying on SASL to crash or be unavailable.

Solution

Upgrade
Cyrus SASL 2.1.23 has been released to address this issue. Before releasing fixed binaries, maintainers are encouraged to review the Cyrus vendor statement associated with this note.

Vendor Information

238019
 
Expand all

View all 25 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to James Ralston for reporting this issue and providing technical information.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2009-0688
Severity Metric: 4.04
Date Public: 2009-04-08
Date First Published: 2009-05-14
Date Last Updated: 2009-08-26 13:19 UTC
Document Revision: 24

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis