North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Kaminsky redux - libspf2 dns parsing bug
For the "mailops is not operational" folks.. it involves parsing dns txt records, so .. well, please grit your teeth and read on, this gets interesting Well, we discarded spf back in 2005 so we arent in any particular danger, but for those few of y'all still deploying and checking spf .. please upgrade asap. srs http://www.doxpara.com/?p=1263 I really need to learn to leave DNS alone :) DNS TXT Record Parsing Bug in LibSPF2 A relatively common bug parsing TXT records delivered over DNS, dating at least back to 2002 in Sendmail 8.2.0 and almost certainly much earlier, has been found in LibSPF2, a library frequently used to retrieve SPF (Sender Policy Framework) records and apply policy according to those records. This implementation flaw allows for relatively flexible memory corruption, and should thus be treated as a path to anonymous remote code execution. Of particular note is that the remote code execution would occur on servers specifically designed to receive E-Mail from the Internet, and that these systems may in fact be high volume mail exchangers. This creates privacy implications. It is also the case that a corrupted email server is a useful "jumping off" point for attackers to corrupt desktop machines, since attachments can be corrupted with malware while the containing message stays intact. So there are internal security implications as well, above and beyond corruption of the mail server on the DMZ. Apparently LibSPF2 is actually used to secure quite a bit of mail traffic – there's a lot of SPAM out there. Fix is out, see http://www.libspf2.org/index.html or your friendly neighborhood distro. Thanks to Shevek, CERT (VU#183657), Ken Simpson of MailChannels, Andre Engel, Scott Kitterman, and Hannah Schroeter for their help with this.