No School Like The Old School
I really need to learn to leave DNS alone 🙂
DNS TXT Record Parsing Bug in LibSPF2
A relatively common bug parsing TXT records delivered over DNS, dating at least back to 2002 in Sendmail 8.2.0 and almost certainly much earlier, has been found in LibSPF2, a library frequently used to retrieve SPF (Sender Policy Framework) records and apply policy according to those records. This implementation flaw allows for relatively flexible memory corruption, and should thus be treated as a path to anonymous remote code execution. Of particular note is that the remote code execution would occur on servers specifically designed to receive E-Mail from the Internet, and that these systems may in fact be high volume mail exchangers. This creates privacy implications. It is also the case that a corrupted email server is a useful “jumping off” point for attackers to corrupt desktop machines, since attachments can be corrupted with malware while the containing message stays intact. So there are internal security implications as well, above and beyond corruption of the mail server on the DMZ.
Apparently LibSPF2 is actually used to secure quite a bit of mail traffic — there’s a lot of SPAM out there. Fix is out, see http://www.libspf2.org/index.html or your friendly neighborhood distro. Thanks to Shevek, CERT (VU#183657), Ken Simpson of MailChannels, Andre Engel, Scott Kitterman, and Hannah Schroeter for their help with this.
Edit: Special thanks, incidentally, to Coverity, who upon hearing that there was one bug, ran their static analyzer on LibSPF2 and found six more. Cool!