fetchmail-SA-2012-01: DoS possible with NTLM authentication in debug mode Topics: fetchmail denial of service in NTLM protocol phase Author: Matthias Andree Version: draft Announced: 2012-08-13 Type: crash while reading from bad memory location Impact: fetchmail segfaults and aborts, stalling inbound mail Danger: low Acknowledgment: J. Porter Clark CVE Name: (TBD) URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt Project URL: http://www.fetchmail.info/ Affects: - fetchmail releases 5.0.8 up to and including 6.3.21 when compiled with NTLM support enabled Not affected: - fetchmail releases compiled with NTLM support disabled - fetchmail releases 6.3.22 and newer Corrected in: 2012-08-13 Git, among others, see commit 3fbc7cd331602c76f882d1b507cd05c1d824ba8b 2012-08-xx fetchmail 6.3.22 release tarball 0. Release history ================== 2012-08-13 0.1 draft 1. Background ============= fetchmail is a software package to retrieve mail from remote POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail supports SSL and TLS security layers through the OpenSSL library, if enabled at compile time and if also enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as well as in-band-negotiated "STARTTLS" and "STLS" modes through the regular protocol ports. 2. Problem description and Impact ================================= Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM authentication request, but never checked if the received response was NTLM protocol exchange, or a server-side error message. Instead, fetchmail tried to decode the error message as though it were base64-encoded protocol exchange, and could then segfault depending of buffer contents, while reading data from bad memory locations. 3. Solution =========== Install fetchmail 6.3.22 or newer. The fetchmail source code is always available from . Distributors are encouraged to review the NEWS file and move forward to 6.3.22, rather than backport individual security fixes, because doing so routinely misses other fixes crucial to fetchmail's proper operation, for which no security announcements are issued, or documentation. Fetchmail 6.3.X releases have always been made with a focus on unchanged user and program interfaces so as to avoid disruptions when upgrading from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the interface incompatibly. A. Copyright, License and Non-Warranty ====================================== (C) Copyright 2012 by Matthias Andree, . Some rights reserved. This work is licensed under the Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/3.0/de/deed.en or send a letter to: Creative Commons 444 Castro Street Suite 900 MOUNTAIN VIEW, CALIFORNIA 94041 USA THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of fetchmail-SA-2012-02