Vulnerabilities > CVE-2005-2151 - Unspecified vulnerability in Double Precision Incorporated Courier Mail Server

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
double-precision-incorporated
nessus

Summary

spf.c in Courier Mail Server does not properly handle DNS failures when looking up Sender Policy Framework (SPF) records, which could allow attackers to cause memory corruption.

Nessus

  • NASL familySMTP problems
    NASL idCOURIER_0501.NASL
    descriptionThe remote host is running Courier Mail Server, an open source mail server for Linux and Unix. According to its banner, the installed version of Courier is prone to a remote denial of service vulnerability triggered when doing Sender Policy Framework (SPF) data lookups. To exploit this flaw, an attacker would need to control a DNS server and return malicious SPF records in response to queries from the affected application.
    last seen2020-06-01
    modified2020-06-02
    plugin id18620
    published2005-07-06
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18620
    titleCourier Mail Server < 0.50.1 DNS SPF Record Lookup Failure Memory Corruption DoS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    
    include("compat.inc");
    
    if (description) {
      script_id(18620);
      script_version("1.14");
    
      script_cve_id("CVE-2005-2151");
      script_bugtraq_id(14135);
     
      script_name(english:"Courier Mail Server < 0.50.1 DNS SPF Record Lookup Failure Memory Corruption DoS");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote mail server is vulnerable to a denial of service attack." );
     script_set_attribute(attribute:"description", value:
    "The remote host is running Courier Mail Server, an open source mail
    server for Linux and Unix. 
    
    According to its banner, the installed version of Courier is prone to
    a remote denial of service vulnerability triggered when doing Sender
    Policy Framework (SPF) data lookups.  To exploit this flaw, an
    attacker would need to control a DNS server and return malicious SPF
    records in response to queries from the affected application." );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to Courier version 0.50.1 or later." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2005/07/06");
     script_set_attribute(attribute:"vuln_publication_date", value: "2005/07/02");
     script_cvs_date("Date: 2018/07/06 11:26:08");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_set_attribute(attribute:"cpe", value: "cpe:/a:double_precision_incorporated:courier_mail_server");
    script_end_attributes();
    
      script_summary(english:"Checks version of Courier Mail Server");
      script_category(ACT_GATHER_INFO);
      script_family(english:"SMTP problems");
      script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
      script_dependencies("smtpserver_detect.nasl");
      script_require_ports("Services/smtp", 25);
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("smtp_func.inc");
    
    
    port = get_service(svc:"smtp", default: 25, exit_on_fail: 1);
    if (get_kb_item('SMTP/'+port+'/broken')) exit(0);
    
    # Check the version number in the banner -- versions < 0.50.1 are vulnerable.
    banner = get_smtp_banner(port:port);
    if (banner && banner =~ "Courier 0\.([0-4][0-9]\.|50\.0[^0-9]*)")
      security_note(port); 
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-174-1.NASL
    descriptionA Denial of Service vulnerability has been discovered in the Courier mail server. Due to a flawed status code check, failed DNS (domain name service) queries for SPF (sender policy framework) were not handled properly and could lead to memory corruption. A malicious DNS server could exploit this to crash the Courier server. However, SPF is not enabled by default, so you are only vulnerable if you explicitly enabled it. The Ubuntu 4.10 version of courier is not affected by this. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id20584
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20584
    titleUbuntu 5.04 : courier vulnerability (USN-174-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-174-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20584);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:33:00");
    
      script_cve_id("CVE-2005-2151");
      script_xref(name:"USN", value:"174-1");
    
      script_name(english:"Ubuntu 5.04 : courier vulnerability (USN-174-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A Denial of Service vulnerability has been discovered in the Courier
    mail server. Due to a flawed status code check, failed DNS (domain
    name service) queries for SPF (sender policy framework) were not
    handled properly and could lead to memory corruption. A malicious DNS
    server could exploit this to crash the Courier server.
    
    However, SPF is not enabled by default, so you are only vulnerable if
    you explicitly enabled it.
    
    The Ubuntu 4.10 version of courier is not affected by this.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-authdaemon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-authmysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-authpostgresql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-faxmail");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-imap-ssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-maildrop");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-mlm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-mta");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-mta-ssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-pcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-pop");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-pop-ssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-ssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:courier-webadmin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:sqwebmail");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/08/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(5\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"5.04", pkgname:"courier-authdaemon", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-authmysql", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-authpostgresql", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-base", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-doc", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-faxmail", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-imap", pkgver:"3.0.8-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-imap-ssl", pkgver:"3.0.8-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-ldap", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-maildrop", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-mlm", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-mta", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-mta-ssl", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-pcp", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-pop", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-pop-ssl", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-ssl", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"courier-webadmin", pkgver:"0.47-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"5.04", pkgname:"sqwebmail", pkgver:"0.47-3ubuntu1.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "courier-authdaemon / courier-authmysql / courier-authpostgresql / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-784.NASL
    descriptionA problem has been discovered in the Courier Mail Server. DNS failures were not handled properly when looking up Sender Policy Framework (SPF) records, which could allow attackers to cause memory corruption. The default configuration on Debian has SPF checking disabled, so most machines are not vulnerable. This is explained in the
    last seen2020-06-01
    modified2020-06-02
    plugin id19527
    published2005-08-30
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19527
    titleDebian DSA-784-1 : courier - programming error
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-784. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19527);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2005-2151");
      script_xref(name:"DSA", value:"784");
    
      script_name(english:"Debian DSA-784-1 : courier - programming error");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A problem has been discovered in the Courier Mail Server. DNS failures
    were not handled properly when looking up Sender Policy Framework
    (SPF) records, which could allow attackers to cause memory corruption.
    The default configuration on Debian has SPF checking disabled, so most
    machines are not vulnerable. This is explained in the 'courier'
    manpage, section SENDER POLICY FRAMEWORK KEYWORDS."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320290"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2005/dsa-784"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the courier-mta package.
    
    The old stable distribution (woody) is not affected by this problem.
    
    For the stable distribution (sarge) this problem has been fixed in
    version 0.47-4sarge1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:courier");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/08/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/30");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"courier-authdaemon", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-authmysql", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-authpostgresql", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-base", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-doc", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-faxmail", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-imap", reference:"3.0.8-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-imap-ssl", reference:"3.0.8-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-ldap", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-maildrop", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-mlm", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-mta", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-mta-ssl", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-pcp", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-pop", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-pop-ssl", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-ssl", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"courier-webadmin", reference:"0.47-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"sqwebmail", reference:"0.47-4sarge1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");