[On-line version will be at http://www.postfix.org/CVE-2011-1720.html]

Summary
=======

The Postfix SMTP server has a memory corruption error when the Cyrus
SASL library is used with authentication mechanisms other than PLAIN
and LOGIN (the ANONYMOUS mechanism is unaffected but should not be
enabled for different reasons). See below for instructions to
determine what systems are affected.

Examples of affected Cyrus SASL authentication methods are CRAM-MD5,
DIGEST-MD5, EXTERNAL, GSSAPI, KERBEROS_V4, NTLM, OTP, PASSDSS-3DES-1,
and SRP.

The error was introduced with the Postfix SASL patch, and is present
in all Postfix versions where the command "postconf mail_release_date"
reports a value of 20000314 (March 14, 2000) or greater.

This problem was discovered by Thomas Jarosch of Intra2net AG.

The memory corruption is known to result in a program crash (SIGSEV).
Remote code execution cannot be excluded. Such code would execute
as the unprivileged "postfix" user. This user has no control over
processes that run with non-postfix privileges including Postfix
processes running as root; the impact may be reduced with configurations
that enable the Postfix chroot feature or that use platform-dependent
privilege-reducing features.

The problem is fixed in Postfix stable releases 2.5.13, 2.6.10,
2.7.4, 2.8.3; in the Postfix 2.9 development release as of May 1,
2011; patches exist for Postfix version 1.1 and later. All this is
available from Postfix mirrors at http://www.postfix.org/download.html.

What systems are affected
=========================

The Postfix SMTP client is not affected.

Affected are Postfix SMTP server configurations that have SASL
authentication turned on, and that use Cyrus SASL authentication
mechanisms other than ANONYMOUS, PLAIN and LOGIN. Here,

  * the command "postconf smtpd_sasl_auth_enable" produces as output
    "smtpd_sasl_auth_enable = yes";

  * and the command "postconf smtpd_sasl_type" produces as output
    "smtpd_sasl_type = cyrus" (or "smtpd_sasl_type: unknown
    parameter");

  * and the Postfix SMTP server's reply to the EHLO command shows
    AUTH methods other than ANONYMOUS, PLAIN and LOGIN. Examples
    of other methods are CRAM-MD5 or DIGEST-MD5.

    Example for the "port 25" service:

    $ telnet server.example.com 25
    Connected to server.example.com.
    Escape character is '^]'.
    220 server.example.com ESMTP Postfix
    ehlo client.example.com
    250-server.example.com
    250-PIPELINING
    250-SIZE 10240000
    250-STARTTLS
    250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5
    250-AUTH=DIGEST-MD5 LOGIN PLAIN CRAM-MD5
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    quit
    221 2.0.0 Bye
    Connection closed by foreign host.

    Example for the "port 587" (submission) service. This service
    is not enabled by default.

    $ openssl s_client -quiet -starttls smtp -connect server.example.com:587
    [TLS handshake information deleted]
    250 DSN
    ehlo client.example.com
    250-server.example.com
    250-PIPELINING
    250-SIZE 10240000
    250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5
    250-AUTH=DIGEST-MD5 LOGIN PLAIN CRAM-MD5
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    quit
    221 2.0.0 Bye

Although it is not affected, the ANONYMOUS authentication mechanism
should not be enabled as it can make an SMTP server an open relay.

What systems are not affected
=============================

The Postfix SMTP client is not affected.

Not affected are Postfix SMTP server configurations that have SASL
authentication turned off, including configurations without SASL
support compiled in. Here, the command "postconf smtpd_sasl_auth_enable"
produces as output "smtpd_sasl_auth_enable = no".

Not affected are Postfix SMTP server configurations that use Dovecot
SASL instead of Cyrus SASL. Here, the command "postconf smtpd_sasl_type"
produces as output "smtpd_sasl_type = dovecot".

Not affected are Postfix SMTP server configurations that enable
Cyrus SASL support with only the PLAIN or LOGIN methods, or both.
Here,

  * the command "postconf smtpd_sasl_auth_enable" produces as output
    "smtpd_sasl_auth_enable = yes";

  * and the command "postconf smtpd_sasl_type" produces as output
    "smtpd_sasl_type = cyrus" (or "smtpd_sasl_type: unknown
    parameter");

  * and the Postfix SMTP server's reply to the EHLO command shows
    only AUTH mechanisms of PLAIN, LOGIN, or both.

    Example for the "port 25" service:

    $ telnet server.example.com 25
    Connected to server.example.com.
    Escape character is '^]'.
    220 server.example.com ESMTP Postfix
    ehlo client.example.com
    250-server.example.com
    250-PIPELINING
    250-SIZE 10240000
    250-STARTTLS
    250-AUTH LOGIN PLAIN
    250-AUTH=LOGIN PLAIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    quit
    221 2.0.0 Bye
    Connection closed by foreign host.

    Example for the "port 587" (submission) service. This service
    is not enabled by default.

    $ openssl s_client -quiet -starttls smtp -connect server.example.com:587
    [TLS handshake information deleted]
    250 DSN
    ehlo client.example.com
    250-server.example.com
    250-PIPELINING
    250-SIZE 10240000
    250-AUTH LOGIN PLAIN
    250-AUTH=LOGIN PLAIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    quit
    221 2.0.0 Bye

Not affected is the ANONYMOUS authentication mechanism, but this
should not be enabled as it can make an SMTP server an open relay.

Workarounds
===========

Disable Cyrus SASL authentication mechanisms for the Postfix SMTP
server other than PLAIN and LOGIN. The mechanisms are specified in
a Cyrus SASL smtpd.conf configuration file. This file may be found
in /etc/postfix/sasl/, /var/lib/ sasl2/, /etc/sasl2/, /usr/lib/sasl2/
or /usr/local/lib/sasl2/.

In this file, update the "mech_list:" entry and remove any methods
other than PLAIN and LOGIN. For example, this configuration is not
affected:

    mech_list: PLAIN LOGIN

Execute the command "postfix reload" to make the change effective,
then verify that the "port 25" and "port 587" services no longer
announce other SASL mechanisms, as shown in the previous section.

Technical details
=================

The Postfix SMTP server creates a SASL handle for each SMTP session,
when SASL authentication is enabled. The Postfix SMTP server will
use this SASL handle until it closes the SMTP connection (the Postfix
SMTP server may create a new server SASL handle when the client and
server agree to switch from a plaintext session to a TLS-encrypted
session, but this does not eliminate the memory corruption problem).

According to a comment in a Cyrus SASL include source file, a server
must not reuse a Cyrus SASL server handle after client authentication
failure. Instead, a server must create a new Cyrus SASL server
handle including mechanism list, before processing another client
authentication request.

The Postfix SMTP server fails to create a new Cyrus SASL server
handle after authentication failure. This causes memory corruption
when, for example, a client requests CRAM-MD5 authentication, fails
to authenticate, and then invokes some other authentication mechanism
except PLAIN (or ANONYMOUS if available). The likely outcome is
that the Postfix SMTP server process crashes with a segmentation
violation error (SIGSEGV, a.k.a. signal 11).

In the following example, S: indicates server output and C: indicates
client input. Line numbers are prepended for reference in the
background discussion in the next section.

     1 S: 220 server.example.com ESMTP
     2 C: EHLO client.example.com
     3 S: 250-server.example.com
     4 S: ...other server output skipped...
     5 S: 250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5
     6 S: 250-AUTH=DIGEST-MD5 LOGIN PLAIN CRAM-MD5
     7 S: ...other server output skipped...
     8 C: AUTH CRAM-MD5
     9 S: 334 PDg5ODE0OTI3MS4xMDQyMTg1OUBzZXJ2ZXIuZXhhbXBsZS5jb20+Cg==
    10 C: *
    11 S: 501 5.7.0 Authentication aborted
    12 C: AUTH DIGEST-MD5
    13 Connection closed by foreign host.

In the mail logfile, Postfix will log a warning similar to:

    postfix/master[2213]: warning: process /usr/libexec/postfix/smtpd
    pid 22585 killed by signal 11

Background
==========

Each Cyrus SASL authentication mechanism is implemented with a) one
statically-allocated shared data structure containing data and
pointers to functions that implement the mechanism, and b)
dynamically-allocated session context data structures with
authentication state.

When the Postfix SMTP server receives "AUTH CRAM-MD5" (line 8 above),
the Cyrus SASL CRAM-MD5 method initializes one CRAM-MD5 session
context data structure, and generates the "step 1" initial client
challenge which the Postfix SMTP server sends in line 9 above.

When the SMTP client sends "*" to abort the CRAM-MD5 authentication
request (line 10 above), the CRAM-MD5 session context data structure
remains attached to the Cyrus SASL server handle. Postfix fails to
create a new Cyrus SASL server handle when the client sends the
subsequent "AUTH DIGEST-MD5" request (line 12 above); the DIGEST-MD5
method will therefore use the "wrong" session context data structure
(which was created after the "AUTH CRAM-MD5" request on line 8),
and will skip its "step 1" challenge.

Each Cyrus SASL authentication method has a different context data
structure layout. Because of these differences, the bits from the
CRAM-MD5 method's context data structure will not work as intended
with the DIGEST-MD5 method. As shown in the stack trace below, the
Postfix SMTP server process crashes in "step 2" of the DIGEST-MD5
authentication protocol. This happens while attempting to read from
a pointer that contains an invalid address.

In this particular example, the Postfix SMTP server crashes while
running under control of the GDB debugger (see the Postfix master(5)
manpage discussion of the -D option), while processing the SMTP
commands shown in the example above.

(gdb) where
#0  0x884bbedf in clear_reauth_entry (reauth=0x206e6f69, type=SERVER,
    utils=0x88534400) at digestmd5.c:1579
#1  0x884be648 in digestmd5_server_mech_step2 (stext=0x88518150,
    sparams=0x8850c840, clientin=0x0, clientinlen=0, serverout=0xbfbfe140,
    serveroutlen=0xbfbfe144, oparams=0x8855e860) at digestmd5.c:2588
#2  0x884be9c5 in digestmd5_server_mech_step (conn_context=0x88518150,
    sparams=0x8850c840, clientin=0x0, clientinlen=0, serverout=0xbfbfe140,
    serveroutlen=0xbfbfe144, oparams=0x8855e860) at digestmd5.c:2689
#3  0x882a51e9 in sasl_server_step (conn=0x8855e000, clientin=0x0,
    clientinlen=0, serverout=0xbfbfe140, serveroutlen=0xbfbfe144)
    at server.c:1430
#4  0x882a5002 in sasl_server_start (conn=0x8855e000, mech=0x8854dc08
    "DIGEST-MD5", clientin=0x0, clientinlen=0, serverout=0xbfbfe140,
    serveroutlen=0xbfbfe144) at server.c:1362
#5  0x08066bf7 in xsasl_cyrus_server_first (xp=0x8851af18,
    sasl_method=0x8854dc08 "DIGEST-MD5", init_response=0x0,
    reply=0x8851aee8) at xsasl_cyrus_server.c:529
[Remainder of stack trace omitted for brevity]

This stack trace was obtained after informing the GDB debugger of
SASL authentication methods that are linked in at runtime (example:
"add-symbol-file /usr/local/lib/sasl2/libdigestmd5.so.2 0x884b8e50").
Without that information, GDB reports a corrupted stack, because
it does not know that the program is executing legitimate code.

Impact analysis
===============

What context data structure bits does the DIGEST-MD5 method inherit
from the aborted CRAM-MD5 authentication request? As mentioned
earlier, different Cyrus SASL authentication methods have different
per-session context data structures.  In particular, the CRAM-MD5
method uses a small structure while DIGEST-MD5 uses a larger one.

The DIGEST-MD5 method will therefore access memory outside the block
that was allocated during the aborted CRAM-MD5 request. That is,
it accesses random memory on the heap. The contents of that memory
will depend on the malloc implementation and on the program execution
history.

Version 2.1.23 of the Cyrus SASL library implements 12 authentication
methods.  Of these, 9 methods maintain server session context data
structures that contain some mix of data and data pointers. When
these are read from random heap memory, or from a structure that
was allocated for a different SASL mechanism, all kinds of things
could happen. This is why remote code execution cannot be excluded.

Why the Cyrus SASL PLAIN and LOGIN methods are not affected
===========================================================

There is no memory corruption problem with the "AUTH PLAIN" method,
because this does not use or create a dynamically-allocated session
context data structure. In particular, sending "AUTH LOGIN" after
aborting or failing an "AUTH PLAIN" request does not result in
memory corruption, because the PLAIN authentication method does not
allocate a session context data structure. Also, sending "AUTH
PLAIN" after aborting or failing an "AUTH LOGIN" request does not
result in memory corruption, because the PLAIN authentication method
ignores the per-session context data structure that is created by
the LOGIN authentication method. Finally, there is no memory
corruption when the LOGIN authentication method inherits a session
context data structure from an aborted or failed "AUTH LOGIN"
request.

It is for these reasons that Postfix SMTP servers with Cyrus SASL
support for only PLAIN and LOGIN are not affected. Fortunately,
PLAIN + LOGIN is the most commonly-used configuration, usually
combined with TLS encryption to protect passwords on the wire. There
will be a minor memory leak, but the Postfix SMTP server limits the
number of failed requests and thereby limits the leak.

There is no memory corruption problem with the "AUTH ANONYMOUS"
method, because just like "AUTH PLAIN" this does not create or use
a dynamically-allocated session context data structure. However,
"AUTH ANONYMOUS" support should not be enabled as it can make an
SMTP server an open relay.

Timeline
========

  * April 8, 2011: Thomas Jarosch (Intra2net AG) reported the
    problem.

  * April 18, 2011: After completing a detailed analysis of what
    configurations are affected, and after testing solutions for
    Postfix 1.1 ..  2.9, Wietse asked CERT/CC to notify vendors.
    Thank you, CERT/CC.

  * April 20, 2011: Pre-release versions available for Postfix 2.5
    .. 2.8 and patches for Postfix 1.1 .. 2.9.

  * Most vendors honored Wietse's request to avoid non-public
    information in plaintext email headers or content. The exceptions
    were SUSE and Red Hat.  Shame on you, SUSE and Red Hat.

  * May 9, 2011: Announcement and public release of fixes.