long sendmail timeouts let attacker prevent milter quiesce
Summary:
An attacker that can predict when a milter will need to quiesce input
to allow for a reload may hold open an SMTP session for several hours.
This will lead to a DoS condition on the mailserver.
Background:
Sendmail is a popular Mail Transfer Agent (MTA), used in many large
sites that require advanced functionality. One feature is that it is
extensible through the use of the milter (Mail fILTER) interface. The
milter paradigm allows external programs to influence the SMTP session,
including rejecting messages based on content.
ClamAV is an opensource antivirus program. Unlike commercial solutions,
ClamAV takes advantage of community support to acquire virus samples,
and therefore can provide signatures for new threats very quickly. In
a typical installation, checks for database updates occur every 15
minutes, making uncaught viruses extremely rare. ClamAV comes with a
sendmail plugin, clamav-milter, that allows administrators to reject
viruses during the SMTP session.
Discussion:
Some milters require a periodic reload of application data. A simple
strategy is to quiesce input (by rejecting connections and waiting for
current connections to terminate). Once the connection count drops to
zero the reload can take place. Unfortunately, the long default
timeouts in sendmail allow a slow sender to keep an SMTP session open
for several hours. If the milter is rejecting new connections during
this time, the milter on the mailserver is effectively DoSed.
Furthermore, if sendmail is configured to require all messages to be
scanned by the milter, the DoS may extend to include all mail delivery.
As an example, clamav-milter versions 0.84 through 0.85d force the
number of child threads to 0 before reloading the antivirus database.
When a database update has been made available, an attacker can
initiate an SMTP session with a vulnerable server, and simply keep
the connection open as long as possible (several hours). The milter
will be unable to reload, and (depending on configuration) sendmail
may be unable to accept incoming messages. It is therefore possible
for an attacker to DoS a mailserver with a single persistent
connection. This issue was fixed in clamav-milter 0.85e, which scans
new connections with the new database, and keeps the old database
until it is finished scanning pre-existing connections.
All users of clamav-milter are encouraged to upgrade to clamav-0.86.
Those who cannot upgrade soon can mitigate the threat through one or
more of the following strategies:
- reduce the sendmail timeouts (reduces timespan of potential DoS)
- run clamav-milter in --external mode (eliminates possibility of DoS)
- run clmilter_watch after freshclam (recovers from an existing DoS)
Notes:
This threat is not particular to clamav-milter. Any milter that needs
to wait for (or force) a quiescent state to reload data files is likely
to be vulnerable to a similar attack.
Sources of above-mentioned software:
- Sendmail MTA : http://www.sendmail.org/
- Clam AntiVirus: http://www.clamav.net/
- clmilter_watch: http://www.itg.uiuc.edu/itg_software/clmilter_watch/
Timeline:
May 25, 2005: clamav-milter author informed of the details of the attack
May 27, 2005: Vulnerability eliminated in CVS (clamav-milter 0.85e)
Jun 14, 2005: Release candidate of patched version (ClamAV 0.86rc1)
Jun 20, 2005: Official release of patched version (ClamAV 0.86)
Jun 23, 2005: Public disclosure
Damian Menscher
--
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher@xxxxxxxx> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-