fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format log messages.

Matthias Andree reports :

When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation.

The remote Oracle Linux 5 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2009-1427 advisory.

    [6.3.6-1.1.el5_3.1]
    - Fix fetchmail various flaws (CVE-2007-4565, CVE-2008-2711, CVE-2009-2666)       Resolves: #516269

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

CVE-2007-4565 Fetchmail NULL pointer dereference

CVE-2008-2711 fetchmail: Crash in large log messages in verbose mode

CVE-2009-2666 fetchmail: SSL null terminator bypass

It was discovered that fetchmail is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse fetchmail into accepting it by mistake. (CVE-2009-2666)

A flaw was found in the way fetchmail handles rejections from a remote SMTP server when sending warning mail to the postmaster. If fetchmail sent a warning mail to the postmaster of an SMTP server and that SMTP server rejected it, fetchmail could crash. (CVE-2007-4565)

A flaw was found in fetchmail. When fetchmail is run in double verbose mode ('-v -v'), it could crash upon receiving certain, malformed mail messages with long headers. A remote attacker could use this flaw to cause a denial of service if fetchmail was also running in daemon mode ('-d'). (CVE-2008-2711)

If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the 'fetchmail --quit' command to stop the fetchmail process).

An updated fetchmail package that fixes multiple security issues is now available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, such as SLIP and PPP connections.

It was discovered that fetchmail is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse fetchmail into accepting it by mistake. (CVE-2009-2666)

A flaw was found in the way fetchmail handles rejections from a remote SMTP server when sending warning mail to the postmaster. If fetchmail sent a warning mail to the postmaster of an SMTP server and that SMTP server rejected it, fetchmail could crash. (CVE-2007-4565)

A flaw was found in fetchmail. When fetchmail is run in double verbose mode ('-v -v'), it could crash upon receiving certain, malformed mail messages with long headers. A remote attacker could use this flaw to cause a denial of service if fetchmail was also running in daemon mode ('-d'). (CVE-2008-2711)

Note: when using SSL-enabled services, it is recommended that the fetchmail '--sslcertck' option be used to enforce strict SSL certificate checking.

All fetchmail users should upgrade to this updated package, which contains backported patches to correct these issues. If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the 'fetchmail --quit' command to stop the fetchmail process).

A flaw in fetchmail was discovered that allowed remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed message with long headers. The crash only occured when fetchmail was called in '-v -v' mode (CVE-2008-2711).

The updated packages have been patched to prevent this issue.

The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-001 applied.

This security update contains fixes for the following products :

  - AFP Server
  - Apple Pixlet Video
  - CarbonCore
  - CFNetwork
  - Certificate Assistant
  - ClamAV
  - CoreText
  - CUPS
  - DS Tools
  - fetchmail
  - Folder Manager
  - FSEvents
  - Network Time
  - perl
  - Printing
  - python
  - Remote Apple Events
  - Safari RSS
  - servermgrd
  - SMB
  - SquirrelMail
  - X11
  - XTerm

New fetchmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, and -current to fix security issues.

Matthias Andree reports :

2008-06-24 1.2 also fixed issue in report_complete (reported by Petr Uzel)

http://fetchmail.berlios.de/fetchmail-SA-2008-01.txt

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Matthias Andree reports :

Gunter Nau reported fetchmail crashing on some messages; further debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic dug up that this happened when fetchmail was trying to print, in -v -v verbose level, headers exceeding 2048 bytes. In this situation, fetchmail would resize the buffer and fill in further parts of the message, but forget to reinitialize its va_list typed source pointer, thus reading data from a garbage address found on the stack at addresses above the function arguments the caller passed in; usually that would be the caller's stack frame.

ID	Name	Product	Family	Severity
152150	FreeBSD : fetchmail -- 6.4.19 and older denial of service or information disclosure (cbfd1874-efea-11eb-8fe9-036bd763ff35)	Nessus	FreeBSD Local Security Checks	high
67920	Oracle Linux 5 : fetchmail (ELSA-2009-1427)	Nessus	Oracle Linux Local Security Checks	high
60662	Scientific Linux Security Update : fetchmail on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
40901	RHEL 3 / 4 / 5 : fetchmail (RHSA-2009:1427)	Nessus	Red Hat Local Security Checks	medium
40893	CentOS 3 / 4 / 5 : fetchmail (CESA-2009:1427)	Nessus	CentOS Local Security Checks	medium
36958	Mandriva Linux Security Advisory : fetchmail (MDVSA-2008:117)	Nessus	Mandriva Local Security Checks	medium
35684	Mac OS X Multiple Vulnerabilities (Security Update 2009-001)	Nessus	MacOS X Local Security Checks	critical
33746	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 8.1 / 9.0 / 9.1 / current : fetchmail (SSA:2008-210-01)	Nessus	Slackware Local Security Checks	medium
33374	FreeBSD : fetchmail -- potential crash in -v -v verbose mode (revised patch) (1e8e63c0-478a-11dd-a88d-000ea69a5213)	Nessus	FreeBSD Local Security Checks	medium
33373	Fedora 8 : fetchmail-6.3.8-4.fc8 (2008-5800)	Nessus	Fedora Local Security Checks	medium
33372	Fedora 9 : fetchmail-6.3.8-7.fc9 (2008-5789)	Nessus	Fedora Local Security Checks	medium
33239	FreeBSD : fetchmail -- potential crash in -v -v verbose mode (168190df-3e9a-11dd-87bc-000ea69a5213)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2008-2711

high

Tenable Plugins

high

high

medium

medium

medium

medium

critical

medium

medium

medium

medium

medium