Vulnerabilities > CVE-2003-0468 - Denial of Service vulnerability in Multiple Postfix

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
wietse-venema
conectiva
nessus

Summary

Postfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port.

Nessus

  • NASL familySMTP problems
    NASL idPOSTFIX_VULNS.NASL
    descriptionThe remote host is running a version of Postfix that is as old as or older than 1.1.12. There are two vulnerabilities in this version that could allow an attacker to remotely disable it, or to be used as a DDoS agent against arbitrary hosts.
    last seen2020-06-01
    modified2020-06-02
    plugin id11820
    published2003-08-15
    reporterThis script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/11820
    titlePostfix < 2.0 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(11820);
     script_version("1.24");
     script_cvs_date("Date: 2018/09/24  9:27:18");
    
     script_cve_id("CVE-2003-0468", "CVE-2003-0540");
     script_bugtraq_id(8361, 8362);
     
     script_xref(name:"RHSA", value:"2003:251-01");
     script_xref(name:"SuSE", value:"SUSE-SA:2003:033");
    
     script_name(english:"Postfix < 2.0 Multiple Vulnerabilities");
     script_summary(english: "Checks the version of the remote Postfix daemon");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote server is vulnerable to a denial of service.");
     script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Postfix that is as old as or 
    older than 1.1.12.
    
    There are two vulnerabilities in this version that could allow an 
    attacker to remotely disable it, or to be used as a DDoS agent against 
    arbitrary hosts.");
     script_set_attribute(attribute:"solution", value:
    "Upgrade to Postfix 2.0.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
     script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
     script_set_attribute(attribute:"cvss_score_source", value:"CVE-2003-0468");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"potential_vulnerability", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value:"2003/08/15");
     script_set_attribute(attribute:"vuln_publication_date", value:"2003/08/03");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:postfix:postfix");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
     script_family(english: "SMTP problems");
     script_dependencies("smtpscan.nasl", "smtpserver_detect.nasl");
     script_require_ports("Services/smtp", 25);
     script_require_keys("Settings/ParanoidReport");
     exit(0);
    }
    
    include("global_settings.inc");
    include("audit.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_kb_item("Services/smtp");
    if(!port)port = 25;
    
    banner = get_kb_item("smtp/" + port + "/real_banner");
    
    if(!banner) banner = get_kb_item_or_exit("smtp/" + port + "/banner");
    
    if(preg(pattern:".*Postfix 1\.(0\..*|1\.([0-9][^0-9]|1[0-2]))", string:banner)||
       preg(pattern:".*Postfix 2001.*", string:banner))
    {
     security_warning(port);
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2003_033.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2003:033 (postfix). Postfix is a flexible MTA replacement for sendmail. Michal Zalewski has reported problems in postfix which can lead to a remote DoS attack or allow attackers to bounce-scan private networks. These problems have been fixed. Even though not all of our products are vulnerable in their default configurations, the updates should be applied. In order for the update to take effect, you have to restart your MTA by issuing the following command as root:
    last seen2020-06-01
    modified2020-06-02
    plugin id13802
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13802
    titleSUSE-SA:2003:033: postfix
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-363.NASL
    descriptionThe postfix mail transport agent in Debian 3.0 contains two vulnerabilities : - CAN-2003-0468: Postfix would allow an attacker to bounce-scan private networks or use the daemon as a DDoS tool by forcing the daemon to connect to an arbitrary service at an arbitrary IP address and either receiving a bounce message or observing queue operations to infer the status of the delivery attempt. - CAN-2003-0540: a malformed envelope address can 1) cause the queue manager to lock up until an entry is removed from the queue and 2) lock up the smtp listener leading to a denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id15200
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15200
    titleDebian DSA-363-1 : postfix - denial of service, bounce-scanning
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-081.NASL
    descriptionTwo vulnerabilities were discovered in the postfix MTA by Michal Zalewski. Versions prior to 1.1.12 would allow an attacker to bounce- scan private networks or use the daemon as a DDoS (Distributed Denial of Service) tool by forcing the daemon to connect to an arbitrary service at an arbitrary IP address and receiving either a bounce message or by timing. As well, versions prior to 1.1.12 have a bug where a malformed envelope address can cause the queue manager to lock up until an entry is removed from the queue and also lock up the SMTP listener leading to a DoS. Postfix version 1.1.13 corrects these issues. The provided packages have been patched to fix the vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id14063
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14063
    titleMandrake Linux Security Advisory : postfix (MDKSA-2003:081)

Oval

accepted2010-09-20T04:00:27.729-04:00
classvulnerability
contributors
  • nameJay Beale
    organizationBastille Linux
  • nameThomas R. Jones
    organizationMaitreya Security
  • nameJonathan Baker
    organizationThe MITRE Corporation
descriptionPostfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port.
familyunix
idoval:org.mitre.oval:def:522
statusaccepted
submitted2003-09-02T12:00:00.000-04:00
titlePostfix Bounce Scans Vulnerability
version40

Redhat

advisories
rhsa
idRHSA-2003:251

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:76766
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-76766
    titlePostfix 1.1.x Denial of Service Vulnerabilities (1)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:76767
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-76767
    titlePostfix 1.1.x Denial of Service Vulnerabilities (2)