The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Postfix

vulnerability announce CVE-2017-10140

Berkeley DB: privilege escalation via a DB_CONFIG file

Synthesis of the vulnerability

An attacker can bypass restrictions via DB_CONFIG of Berkeley DB, in order to escalate his privileges.
Impacted products: Debian, Exim, Fedora, Berkeley DB, Postfix, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Creation date: 14/06/2017.
Identifiers: CVE-2017-10140, DLA-1135-1, DLA-1136-1, DLA-1137-1, FEDORA-2017-014d67fa9d, FEDORA-2017-372bb1edb3, USN-3489-1, USN-3489-2, VIGILANCE-VUL-22972.

Description of the vulnerability

An attacker can create e DB_CONFIG file for Berkeley DB in the start forlder of a privileged process, in order to tamper with the database parameters.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-4000

TLS: weakening Diffie-Hellman via Logjam

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can force the TLS client/server to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Impacted products: Apache httpd, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, DCFM Enterprise, Brocade Network Advisor, Brocade vTM, Clearswift Email Gateway, Debian, Summit, Fedora, FileZilla Server, FreeBSD, HPE BSM, HPE NNMi, HP Operations, HP-UX, AIX, DB2 UDB, IRAD, Security Directory Server, SPSS Modeler, Tivoli Storage Manager, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, lighttpd, ePO, Firefox, NSS, MySQL Community, MySQL Enterprise, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, nginx, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Solaris, Palo Alto Firewall PA***, PAN-OS, Percona Server, RealPresence Collaboration Server, RealPresence Distributed Media Application, RealPresence Resource Manager, Polycom VBP, Postfix, SSL protocol, Pulse Connect Secure, Puppet, RHEL, JBoss EAP by Red Hat, Sendmail, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 20/05/2015.
Revision date: 20/05/2015.
Identifiers: 1610582, 1647054, 1957980, 1958984, 1959033, 1959539, 1959745, 1960194, 1960418, 1960862, 1962398, 1962694, 1963151, 9010038, 9010039, 9010041, 9010044, BSA-2015-005, bulletinjan2016, bulletinjul2015, c04725401, c04760669, c04767175, c04770140, c04773119, c04773241, c04774058, c04778650, c04832246, c04918839, c04926789, CERTFR-2016-AVI-303, CTX216642, CVE-2015-4000, DLA-507-1, DSA-3287-1, DSA-3300-1, DSA-3688-1, FEDORA-2015-10047, FEDORA-2015-10108, FEDORA-2015-9048, FEDORA-2015-9130, FEDORA-2015-9161, FreeBSD-EN-15:08.sendmail, FreeBSD-SA-15:10.openssl, HPSBGN03399, HPSBGN03407, HPSBGN03411, HPSBGN03417, HPSBHF03433, HPSBMU03345, HPSBMU03401, HPSBUX03363, HPSBUX03388, HPSBUX03435, HPSBUX03512, JSA10681, Logjam, NetBSD-SA2015-008, NTAP-20150616-0001, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2015:1209-1, openSUSE-SU-2015:1216-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2016:0226-1, openSUSE-SU-2016:0255-1, openSUSE-SU-2016:0261-1, openSUSE-SU-2016:2267-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1072-01, RHSA-2015:1185-01, RHSA-2015:1197-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, SA111, SA40002, SA98, SB10122, SSA:2015-219-02, SSRT102180, SSRT102254, SSRT102964, SSRT102977, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1177-1, SUSE-SU-2015:1177-2, SUSE-SU-2015:1181-1, SUSE-SU-2015:1181-2, SUSE-SU-2015:1182-2, SUSE-SU-2015:1183-1, SUSE-SU-2015:1183-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, SUSE-SU-2015:1268-1, SUSE-SU-2015:1268-2, SUSE-SU-2015:1269-1, SUSE-SU-2015:1581-1, SUSE-SU-2016:0224-1, SUSE-SU-2018:1768-1, TSB16728, USN-2624-1, USN-2625-1, USN-2656-1, USN-2656-2, VIGILANCE-VUL-16950, VN-2015-007.

Description of the vulnerability

The Diffie-Hellman algorithm is used to exchange cryptographic keys. The DHE_EXPORT suite uses prime numbers smaller than 512 bits.

The Diffie-Hellman algorithm is used by TLS. However, during the negotiation, an attacker, located as a Man-in-the-Middle, can force TLS to use DHE_EXPORT (event if stronger suites are available).

This vulnerability can then be combined with VIGILANCE-VUL-16951.

An attacker, located as a Man-in-the-Middle, can therefore force the TLS client/server to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 16951

TLS, SSH, VPN: weakening Diffie-Hellman via common primes

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can obtain the DH keys used by the TLS/SSH/VPN client/server, in order to more easily capture or alter exchanged data.
Impacted products: Apache httpd, AnyConnect VPN Client, IVE OS, Juniper SA, lighttpd, nginx, OpenSSH, OpenSSL, Openswan, Postfix, SSL protocol, Sendmail.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 20/05/2015.
Identifiers: VIGILANCE-VUL-16951.

Description of the vulnerability

The Diffie-Hellman algorithm is used to exchange cryptographic keys. It is used by TLS, SSH and VPNs (IPsec).

Most servers use the same prime numbers (standardized in RFC 3526). An attacker can thus pre-compute values (100000 core CPU hours, so during a week for 512 bits with 100 computers approximately) and use the "number field sieve discrete log algorithm" attack to quickly obtain the used DH keys, and decrypt a session.

The 512 bits sets are considered as broken, and the 1024 bits sets are considered as breakable by a state.

For TLS, this vulnerability can be exploited after Logjam (VIGILANCE-VUL-16950).

An attacker, located as a Man-in-the-Middle, can therefore obtain the DH keys used by the TLS/SSH/VPN client/server, in order to more easily capture or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-3566

SSL 3.0: decrypting session, POODLE

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Impacted products: SES, SNS, Apache httpd, Arkoon FAST360, ArubaOS, Asterisk Open Source, BES, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, IronPort Email, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, WebNS, Clearswift Email Gateway, Clearswift Web Gateway, CUPS, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, F-Secure AV, hMailServer, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, ProCurve Switch, SiteScope, HP Switch, TippingPoint IPS, HP-UX, AIX, Domino, Notes, Security Directory Server, SPSS Data Collection, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, IVE OS, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, McAfee Email and Web Security, McAfee Email Gateway, ePO, VirusScan, McAfee Web Gateway, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, NETASQ, NetBSD, NetScreen Firewall, ScreenOS, nginx, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, Tuxedo, WebLogic, Palo Alto Firewall PA***, PAN-OS, Polycom CMA, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, Postfix, SSL protocol, Puppet, RHEL, JBoss EAP by Red Hat, RSA Authentication Manager, ROS, ROX, RuggedSwitch, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, WinSCP.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.

Description of the vulnerability

An SSL/TLS session can be established using several protocols:
 - SSL 2.0 (obsolete)
 - SSL 3.0
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2

An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.

This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).

An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-0411 CVE-2011-1430 CVE-2011-1431

Exim, Postfix, Qmail-TLS: command injection with STARTTLS

Synthesis of the vulnerability

Even when the SMTP client checks the TLS certificate of the messaging server, an attacker can inject commands in the session.
Impacted products: Debian, Exim, Fedora, Mandriva Linux, NetBSD, openSUSE, Postfix, RHEL, Sun Messaging, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition, data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 08/03/2011.
Revision date: 23/05/2011.
Identifiers: BID-46767, CERTA-2011-AVI-146, CERTA-2011-AVI-177, cpuapr2011, CVE-2011-0411, CVE-2011-1430, CVE-2011-1431, CVE-2011-1432, DSA-2233-1, FEDORA-2011-3355, FEDORA-2011-3394, FEDORA-2011-6771, FEDORA-2011-6777, MDVSA-2011:045, openSUSE-SU-2011:0389-1, RHSA-2011:0422-01, RHSA-2011:0423-01, SUSE-SR:2011:008, SUSE-SR:2011:009, SUSE-SR:2011:010, SUSE-SU-2011:0520-1, VIGILANCE-VUL-10428, VU#555316.

Description of the vulnerability

An attacker can be a Man-in-the-Middle between a SMTP client and its server, in order to inject SMTP commands. Clients which use TLS detect this attack when they check the signature with the TLS certificate provided by the server.

When the SMTP protocol is encapsulated in a TLS session (RFC 3207), the client starts the SMTP session in text mode, then enters the STARTTLS command, which starts a TLS tunnel, where the SMTP session restarts.

However, if an attacker sends a SMTP command after the STARTTLS, it is in the buffer of the SMTP session. When the session restarts, attacker's command is thus the first to be interpreted. This error is due to the reception buffer which is not emptied before restarting the SMTP session.

Even when the SMTP client checks the TLS certificate of the messaging server, an attacker can therefore inject commands in the session.

This vulnerability is a variant of VIGILANCE-VUL-10463, VIGILANCE-VUL-10513 et VIGILANCE-VUL-11880.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2011-1720

Postfix: memory corruption via the Cyrus SASL library

Synthesis of the vulnerability

When Postfix is configured with Cyrus SASL authentication, a remote attacker can change authentication method in order to create a denial of service or to execute code.
Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, Postfix, RHEL, SLES.
Severity: 3/4.
Consequences: privileged access/rights, data creation/edition, denial of service on service.
Provenance: internet client.
Creation date: 10/05/2011.
Identifiers: CERTA-2011-AVI-283, CVE-2011-1720, DSA-2233-1, FEDORA-2011-6771, FEDORA-2011-6777, MDVSA-2011:090, RHSA-2011:0843-01, SUSE-SA:2011:023, SUSE-SR:2011:010, SUSE-SU-2011:0520-1, VIGILANCE-VUL-10635, VU#727230.

Description of the vulnerability

The Cyrus SASL library (Simple Authentication and Security Layer) adds new authentication methods to existing protocols.

The Postfix mail server supports Cyrus and Dovecot implementations of SASL. For example, for Cyrus:
 - the command "postconf smtpd_sasl_auth_enable" produces as output "smtpd_sasl_auth_enable = yes"
 - the command "postconf smtpd_sasl_type" produces as output "smtpd_sasl_type = cyrus" (or "smtpd_sasl_type: unknown parameter")

When a SMTP client initiates a SMTP session on Postfix with Cyrus SASL enabled, a server SASL handle is created. The handle allocates a data structure depending on the authentication type. For example, the structure for storing CRAM-MD5 authentication is different from the DIGEST-MD5 structure. However if an attacker changes the authentication method during the session, the old structure is reused. As it is incompatible, its use corrupts the memory.

The ANONYMOUS, PLAIN and LOGIN authentications do not lead to a memory corruption, so another authentication type (CRAM-MD5, etc.) should be activated on Postfix in order to allow the attacker to exploit the vulnerability.

When Postfix is configured with Cyrus SASL authentication, a remote attacker can therefore change authentication method in order to create a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2008-3889

Postfix: denial of service under Linux

Synthesis of the vulnerability

When Postfix is installed on a Linux kernel 2.6, a local attacker can create a denial of service.
Impacted products: Fedora, Mandriva Linux, openSUSE, Postfix, TurboLinux.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/09/2008.
Revision date: 17/09/2008.
Identifiers: BID-30977, CVE-2008-3889, CVE-2008-4042-ERROR, FEDORA-2008-8593, FEDORA-2008-8595, MDVSA-2008:190, SUSE-SR:2008:018, VIGILANCE-VUL-8080.

Description of the vulnerability

The Postfix messaging server handles events depending on the system:
 - kqueue under BSD
 - epoll() under Linux 2.6
 - /dev/poll under Solaris
 - poll() or select() on other systems

In the epoll (Linux 2.6) implementation, the file descriptor is not closed when an external command is run. This command can therefore access to epoll.

A local attacker can thus create a malicious program using epoll, and put it in its "~/.forward" file in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-3791

Postfix policyd: buffer overflow

Synthesis of the vulnerability

An attacker can generate an overflow in Postfix policyd in order to create a denial of service or to execute code.
Impacted products: Debian, Postfix, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: privileged access/rights.
Provenance: internet client.
Creation date: 30/08/2007.
Identifiers: CERTA-2002-AVI-162, CERTA-2007-AVI-387, CVE-2007-3791, DSA-1361-1, VIGILANCE-VUL-7133.

Description of the vulnerability

The policyd daemon can be installed with Postfix to handle antispam policies.

An overflow occurs in the w_read() function of sockets.c file when line length is over MAXLINE characters.

An attacker can therefore use a long SMTP command in order to create a denial of service or to execute code in policyd.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 6864

Postfix: IPv6 connexions handled as localhost

Synthesis of the vulnerability

When IPv6 is deactivated, connections coming from inetd are handled as if they come from localhost.
Impacted products: Postfix.
Severity: 1/4.
Consequences: disguisement.
Provenance: internet client.
Creation date: 01/06/2007.
Identifiers: VIGILANCE-VUL-6864.

Description of the vulnerability

Support for IPv4 or IPv6 can be deactivated in Postfix, even if system supports them.

When IPv4 or IPv6 is deactivated, connections coming from inetd are handled as if they come from localhost.

Attacker can then for example force Postfix to log the 127.0.0.1 address instead of his real IP address.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 6395

Postfix: denial of service via long headers

Synthesis of the vulnerability

An attacker can generate a denial of service by sending an email containing long headers, when milter is active.
Impacted products: Postfix.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 13/12/2006.
Identifiers: VIGILANCE-VUL-6395.

Description of the vulnerability

Milter interfaces are used to create filters, and for example call an anti-spam program.

When size of a header is over 65535 bytes, a NULL pointer is dereferenced in the cleanup process when milter is active.

An attacker can thus send this kind of emails in order to stop the process.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Postfix: