Think you have a false positive on this rule?

Sid 1-654

Message

SERVER-MAIL RCPT TO overflow

Summary

Buffer overflow in Lotus Domino Mail Server 5.0.5 and earlier allows a remote attacker to crash the server or execute arbitrary code via a long "RCPT TO" command.

Impact

CVSS base score 7.5 CVSS impact score 6.4 CVSS exploitability score 10.0 confidentialityImpact PARTIAL integrityImpact PARTIAL availabilityImpact PARTIAL

CVE-2003-0694:

CVSS base score 10.0

CVSS impact score 10.0

CVSS exploitability score 10.0

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

CVE-2008-0394:

CVSS base score 7.5

CVSS impact score 6.4

CVSS exploitability score 10.0

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

CVE-2009-0410:

CVSS base score 10.0

CVSS impact score 10.0

CVSS exploitability score 10.0

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

CVE-2010-2580:

CVSS base score 5.0

CVSS impact score 2.9

CVSS exploitability score 10.0

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Detailed information

CVE-2003-0694: The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.

CVE-2008-0394: Buffer overflow in Citadel SMTP server 7.10 and earlier allows remote attackers to execute arbitrary code via a long RCPT TO command, which is not properly handled by the makeuserkey function. NOTE: some of these details were obtained from third party information.

CVE-2009-0410: Off-by-one error in the SMTP daemon in GroupWise Internet Agent (GWIA) in Novell GroupWise 6.5x, 7.0, 7.01, 7.02, 7.03, 7.03HP1a, and 8.0 allows remote attackers to execute arbitrary code via a long e-mail address in a malformed RCPT command, leading to a buffer overflow.

CVE-2010-2580: The SMTP service (MESMTPC.exe) in MailEnable 3.x and 4.25 does not properly perform a length check, which allows remote attackers to cause a denial of service (crash) via a long (1) email address in the MAIL FROM command, or (2) domain name in the RCPT TO command, which triggers an "unhandled invalid parameter error."

Affected systems

  • sendmail advancedmessageserver 1.2
  • sendmail advancedmessageserver 1.3
  • sendmail sendmail 2.6
  • sendmail sendmail 2.6.1
  • sendmail sendmail 2.6.2
  • sendmail sendmail 3.0
  • sendmail sendmail 3.0.1
  • sendmail sendmail 3.0.2
  • sendmail sendmail 3.0.3
  • sendmail sendmail 8.8.8
  • sendmail sendmail 8.9.0
  • sendmail sendmail 8.9.1
  • sendmail sendmail 8.9.2
  • sendmail sendmail 8.9.3
  • sendmail sendmail 8.10
  • sendmail sendmail 8.10.1
  • sendmail sendmail 8.10.2
  • sendmail sendmail 8.11.0
  • sendmail sendmail 8.11.1
  • sendmail sendmail 8.11.2
  • sendmail sendmail 8.11.3
  • sendmail sendmail 8.11.4
  • sendmail sendmail 8.11.5
  • sendmail sendmail 8.11.6
  • sendmail sendmail 8.12
  • sendmail sendmail 8.12.0
  • sendmail sendmail 8.12.1
  • sendmail sendmail 8.12.2
  • sendmail sendmail 8.12.3
  • sendmail sendmail 8.12.4
  • sendmail sendmail 8.12.5
  • sendmail sendmail 8.12.6
  • sendmail sendmail 8.12.7
  • sendmail sendmail 8.12.8
  • sendmail sendmail 8.12.9
  • sendmail sendmail_pro 8.9.2
  • sendmail sendmail_pro 8.9.3
  • sendmail sendmail_switch 2.1
  • sendmail sendmail_switch 2.1.1
  • sendmail sendmail_switch 2.1.2
  • sendmail sendmail_switch 2.1.3
  • sendmail sendmail_switch 2.1.4
  • sendmail sendmail_switch 2.1.5
  • sendmail sendmail_switch 2.2
  • sendmail sendmail_switch 2.2.1
  • sendmail sendmail_switch 2.2.2
  • sendmail sendmail_switch 2.2.3
  • sendmail sendmail_switch 2.2.4
  • sendmail sendmail_switch 2.2.5
  • sendmail sendmail_switch 3.0
  • sendmail sendmail_switch 3.0.1
  • sendmail sendmail_switch 3.0.2
  • sendmail sendmail_switch 3.0.3
  • apple macosx 10.2
  • apple macosx 10.2.1
  • apple macosx 10.2.2
  • apple macosx 10.2.3
  • apple macosx 10.2.4
  • apple macosx 10.2.5
  • apple macosx 10.2.6
  • apple macosx_server 10.2
  • apple macosx_server 10.2.1
  • apple macosx_server 10.2.2
  • apple macosx_server 10.2.3
  • apple macosx_server 10.2.4
  • apple macosx_server 10.2.5
  • apple macosx_server 10.2.6
  • compaq tru64 4.0f
  • compaq tru64 4.0fpk6bl17
  • compaq tru64 4.0fpk7bl18
  • compaq tru64 4.0fpk8bl22
  • compaq tru64 4.0g
  • compaq tru64 4.0gpk3bl17
  • compaq tru64 4.0gpk4bl22
  • compaq tru64 5.1
  • compaq tru64 5.1pk3bl17
  • compaq tru64 5.1pk4bl18
  • compaq tru64 5.1pk5bl19
  • compaq tru64 5.1pk6bl20
  • compaq tru64 5.1a
  • compaq tru64 5.1apk1bl1
  • compaq tru64 5.1apk2bl2
  • compaq tru64 5.1apk3bl3
  • compaq tru64 5.1apk4bl21
  • compaq tru64 5.1apk5bl23
  • compaq tru64 5.1b
  • compaq tru64 5.1bpk1bl1
  • compaq tru64 5.1bpk2bl22
  • freebsd freebsd 3.0
  • freebsd freebsd 4.0
  • freebsd freebsd 4.3
  • freebsd freebsd 4.4
  • freebsd freebsd 4.5
  • freebsd freebsd 4.6
  • freebsd freebsd 4.7
  • freebsd freebsd 4.8
  • freebsd freebsd 4.9
  • freebsd freebsd 5.0
  • freebsd freebsd 5.1
  • gentoo linux 0.5
  • gentoo linux 0.7
  • gentoo linux 1.1a
  • gentoo linux 1.2
  • gentoo linux 1.4
  • hp hp-ux 11.00
  • hp hp-ux 11.0.4
  • hp hp-ux 11.11
  • hp hp-ux 11.22
  • ibm aix 4.3.3
  • ibm aix 5.1
  • ibm aix 5.2
  • netbsd netbsd 1.4.3
  • netbsd netbsd 1.5
  • netbsd netbsd 1.5.1
  • netbsd netbsd 1.5.2
  • netbsd netbsd 1.5.3
  • netbsd netbsd 1.6
  • netbsd netbsd 1.6.1
  • sgi irix 6.5.15
  • sgi irix 6.5.16
  • sgi irix 6.5.17f
  • sgi irix 6.5.17m
  • sgi irix 6.5.18f
  • sgi irix 6.5.18m
  • sgi irix 6.5.19f
  • sgi irix 6.5.19m
  • sgi irix 6.5.20f
  • sgi irix 6.5.20m
  • sgi irix 6.5.21f
  • sgi irix 6.5.21m
  • sun solaris 2.6
  • sun solaris 7.0
  • sun solaris 8.0
  • sun solaris 9.0
  • turbolinux turbolinuxadvancedserver 6.0
  • turbolinux turbolinux_server 6.1
  • turbolinux turbolinux_server 6.5
  • turbolinux turbolinux_server 7.0
  • turbolinux turbolinux_server 8.0
  • turbolinux turbolinux_workstation 6.0
  • turbolinux turbolinux_workstation 7.0
  • turbolinux turbolinux_workstation 8.0
  • citadel smtp 7.10
  • novell groupwise 6.5
  • novell groupwise 7.0
  • novell groupwise 7.01
  • novell groupwise 7.02x
  • novell groupwise 7.03
  • novell groupwise 8.0
  • mailenable mailenable 3.0
  • mailenable mailenable 3.01
  • mailenable mailenable 3.02
  • mailenable mailenable 3.03
  • mailenable mailenable 3.04
  • mailenable mailenable 3.5
  • mailenable mailenable 3.6
  • mailenable mailenable 3.10
  • mailenable mailenable 3.11
  • mailenable mailenable 3.12
  • mailenable mailenable 3.13
  • mailenable mailenable 3.14
  • mailenable mailenable 3.51
  • mailenable mailenable 3.52
  • mailenable mailenable 3.53
  • mailenable mailenable 3.61
  • mailenable mailenable 3.62
  • mailenable mailenable 3.63
  • mailenable mailenable 4.0
  • mailenable mailenable 4.1
  • mailenable mailenable 4.11
  • mailenable mailenable 4.12
  • mailenable mailenable 4.13
  • mailenable mailenable 4.14
  • mailenable mailenable 4.15
  • mailenable mailenable 4.16
  • mailenable mailenable 4.17
  • mailenable mailenable 4.22
  • mailenable mailenable 4.23
  • mailenable mailenable 4.24
  • mailenable mailenable 4.25

Ease of attack

CVE-2003-0694:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

CVE-2008-0394:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

CVE-2009-0410:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

CVE-2010-2580:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

False positives

None known

False negatives

None known

Corrective action

Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References