Privacy and Legal Notice

DOE-CIRC INFORMATION BULLETIN

T-021: libspf2 DNS TXT Vulnerability

[US-CERT Vulnerability Note VU#183657]

November 6, 2008 14:00 GMT
PROBLEM: libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records. An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities.
PLATFORM: libspf2
DAMAGE: Execute arbitrary code.
SOLUTION: Upgrade to the appropriate version.
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running libspf2.
CVSS 2 BASE SCORE:
   TEMPORAL SCORE:
   VECTOR:		 2.6
2.0
(AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C)
LINKS:  
  DOE-CIRC BULLETIN: http://doecirc.energy.gov/ciac/bulletins/t-021.shtml
  ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/183657
  CVE: CVE-2008-2469 
[***** Start US-CERT Vulnerability Note VU#183657 *****]

Vulnerability Note VU#183657

libspf2 DNS TXT record parsing buffer overflow

Overview

libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records.

I. Description

libspf2 is a widely-deployed implementation of the Sender Policy Framework. According to RFC 4408:
libspf2 contins a buffer overflow in DNS TXT record parsing. According to Doxpara Research:
This issue is similar to VU#814627 Sendmail vulnerable to buffer overflow when DNS map is specified using TXT records.

II. Impact

This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running libspf2.

III. Solution

Upgrade

Vendors and those who directly use libspf2 should upgrade to version 1.2.8.

Users that run a mail server or anti-spam products should consult their vendor for an appropriate patch.

Systems Affected

Vendor Status Date Notified Date Updated
3com, Inc. Unknown 2008-09-16 2008-09-16
ACCESS Unknown 2008-09-16 2008-09-16
Alcatel-Lucent Unknown 2008-09-16 2008-09-16
Apple Computer, Inc. Unknown 2008-09-16 2008-09-16
AT&T Unknown 2008-09-16 2008-09-16
Avaya, Inc. Unknown 2008-09-16 2008-09-16
Barracuda Networks Unknown 2008-09-16 2008-09-16
Belkin, Inc. Unknown 2008-09-16 2008-09-16
Bizanga Not Vulnerable 2008-09-17 2008-10-16
BlueCat Networks, Inc. Vulnerable 2008-09-18 2008-10-30
Borderware Technologies Unknown 2008-09-16 2008-09-16
Bro Unknown 2008-09-16 2008-09-16
Charlotte's Web Networks Unknown 2008-09-16 2008-09-16
Check Point Software Technologies Unknown 2008-09-16 2008-09-16
CIAC Unknown 2008-09-16 2008-09-16
Cisco Systems, Inc. Unknown 2008-09-16 2008-09-16
Clavister Unknown 2008-09-16 2008-09-16
Cloudmark Unknown 2008-09-23 2008-09-23
Computer Associates Unknown 2008-09-16 2008-09-16
Computer Associates eTrust Security Management Unknown 2008-09-16 2008-09-16
Conectiva Inc. Unknown 2008-09-16 2008-09-16
Cray Inc. Unknown 2008-09-16 2008-09-16
D-Link Systems, Inc. Unknown 2008-09-16 2008-09-16
Data Connection, Ltd. Unknown 2008-09-16 2008-09-16
Debian GNU/Linux Unknown 2008-09-16 2008-09-16
DragonFly BSD Project Unknown 2008-09-16 2008-09-16
Eland Systems Not Vulnerable 2008-09-17 2008-10-16
EMC Corporation Unknown 2008-09-16 2008-09-16
Engarde Secure Linux Unknown 2008-09-16 2008-09-16
Enterasys Networks Unknown 2008-09-16 2008-09-16
Ericsson Unknown 2008-09-16 2008-09-16
eSoft, Inc. Unknown 2008-09-16 2008-09-16
Extreme Networks Unknown 2008-09-16 2008-09-16
F5 Networks, Inc. Unknown 2008-09-16 2008-09-16
Fedora Project Unknown 2008-09-16 2008-09-16
Force10 Networks, Inc. Unknown 2008-09-16 2008-09-16
Fortinet, Inc. Unknown 2008-09-16 2008-09-16
Foundry Networks, Inc. Unknown 2008-09-16 2008-09-16
FreeBSD, Inc. Unknown 2008-09-16 2008-09-16
Fujitsu Unknown 2008-09-16 2008-09-16
Gentoo Linux Unknown 2008-09-16 2008-09-16
Global Technology Associates Unknown 2008-09-16 2008-09-16
Hewlett-Packard Company Unknown 2008-09-16 2008-09-16
Hitachi Unknown 2008-09-16 2008-09-16
IBM Corporation Unknown 2008-09-16 2008-09-16
IBM Corporation (zseries) Unknown 2008-09-16 2008-09-16
IBM eServer Unknown 2008-09-16 2008-09-16
Ingrian Networks, Inc. Unknown 2008-09-16 2008-09-16
Intel Corporation Unknown 2008-09-16 2008-09-16
Internet Security Systems, Inc. Unknown 2008-09-16 2008-09-16
Intoto Unknown 2008-09-16 2008-09-16
IP Filter Unknown 2008-09-16 2008-09-16
IP Infusion, Inc. Unknown 2008-09-16 2008-09-16
Juniper Networks, Inc. Unknown 2008-09-16 2008-09-16
Luminous Networks Unknown 2008-09-16 2008-09-16
m0n0wall Unknown 2008-09-16 2008-09-16
MailFoundry Not Vulnerable 2008-09-18 2008-10-23
Mandriva, Inc. Unknown 2008-09-16 2008-09-16
McAfee Vulnerable 2008-09-16 2008-10-16
Messaging Architects Unknown 2008-09-18 2008-09-18
Microsoft Corporation Unknown 2008-09-16 2008-09-16
Mirapoint, Inc. Unknown 2008-09-18 2008-09-18
MontaVista Software, Inc. Unknown 2008-09-16 2008-09-16
Multitech, Inc. Unknown 2008-09-16 2008-09-16
NEC Corporation Unknown 2008-09-16 2008-09-16
NetApp Unknown 2008-09-16 2008-09-16
NetBSD Unknown 2008-09-16 2008-09-16
netfilter Unknown 2008-09-16 2008-09-16
Nokia Unknown 2008-09-16 2008-09-16
Nortel Networks, Inc. Unknown 2008-09-16 2008-09-16
Novell, Inc. Unknown 2008-09-16 2008-09-16
OpenBSD Unknown 2008-09-16 2008-09-16
Openwall GNU/*/Linux Not Vulnerable 2008-09-16 2008-10-16
OpenWave Unknown 2008-09-19 2008-09-19
PePLink Unknown 2008-09-16 2008-09-16
Process Software Vulnerable 2008-09-16 2008-10-16
Proofpoint Not Vulnerable 2008-09-18 2008-10-16
Q1 Labs Unknown 2008-09-16 2008-09-16
QNX, Software Systems, Inc. Unknown 2008-09-16 2008-09-16
Quagga Unknown 2008-09-16 2008-09-16
RadWare, Inc. Unknown 2008-09-16 2008-09-16
Red Hat, Inc. Unknown 2008-09-16 2008-09-16
Redback Networks, Inc. Unknown 2008-09-16 2008-09-16
Roaring Penguin Software Inc. Not Vulnerable 2008-09-17 2008-10-16
SecPoint Vulnerable 2008-09-24 2008-10-16
Secure Computing Enterprise Security Division Unknown 2008-09-18 2008-09-18
Secure Computing Network Security Division Unknown 2008-09-16 2008-09-16
Securence Not Vulnerable 2008-09-19 2008-10-16
Secureworx, Inc. Unknown 2008-09-16 2008-09-16
Silicon Graphics, Inc. Unknown 2008-09-16 2008-09-16
Slackware Linux Inc. Unknown 2008-09-16 2008-09-16
SmoothWall Unknown 2008-09-16 2008-09-16
Snort Unknown 2008-09-16 2008-09-16
Soapstone Networks Unknown 2008-09-16 2008-09-16
Sony Corporation Unknown 2008-09-16 2008-09-16
Sourcefire Unknown 2008-09-16 2008-09-16
Stonesoft Unknown 2008-09-16 2008-09-16
Sun Microsystems, Inc. Not Vulnerable 2008-09-16 2008-10-16
SUSE Linux Not Vulnerable 2008-09-16 2008-10-16
Symantec, Inc. Not Vulnerable 2008-09-16 2008-10-30
The SCO Group Unknown 2008-09-16 2008-09-16
TippingPoint, Technologies, Inc. Unknown 2008-09-16 2008-09-16
Turbolinux Unknown 2008-09-16 2008-09-16
U4EA Technologies, Inc. Unknown 2008-09-16 2008-09-16
Ubuntu Unknown 2008-09-16 2008-09-16
Unisys Unknown 2008-09-16 2008-09-16
Vyatta Unknown 2008-09-16 2008-09-16
Watchguard Technologies, Inc. Unknown 2008-09-16 2008-09-16
Wind River Systems, Inc. Unknown 2008-09-16 2008-09-16
ZyXEL Unknown 2008-09-16 2008-09-16

References

http://www.kb.cert.org/vuls/id/814627
http://www.ietf.org/rfc/rfc4408.txt
http://www.doxpara.com/?page_id=1256
http://www.libspf2.org/docs/html/

Credit

This issue was reported by Dan Kaminsky of Doxpara Research.

This document was written by Chris Taschner.

Other Information

Date Public: 2008-10-21
Date First Published: 2008-10-30
Date Last Updated: 2008-10-30
CERT Advisory:  
CVE-ID(s): CVE-2008-2469
NVD-ID(s): CVE-2008-2469
US-CERT Technical Alerts:  
Metric: 9.00
Document Revision: 18 

[***** End US-CERT Vulnerability Note VU#183657 *****]
DOE-CIRC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin.
DOE-CIRC can be contacted at: 
    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/