Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:238019
HistoryMay 14, 2009 - 12:00 a.m.

Cyrus SASL library buffer overflow vulnerability

2009-05-1400:00:00
www.kb.cert.org
22

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.407 Medium

EPSS

Percentile

97.3%

JSON

Overview

The Cyrus SASL library contains a buffer overflow vulnerability that could allow an attacker to execute code or cause a vulnerable program to crash.

Description

SASL (Simple Authentication and Security Layer) is a method for adding authentication support to various protocols. SASL is commonly used by mail servers to request authentication from clients and by clients to authenticate to servers.

The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function.

Impact

A remote attacker might be able to execute code, or cause any programs relying on SASL to crash or be unavailable.

Solution

Upgrade
Cyrus SASL 2.1.23 has been released to address this issue. Before releasing fixed binaries, maintainers are encouraged to review the Cyrus vendor statement associated with this note.

Vendor Information

238019

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Inc. Affected

Updated: August 26, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cyrus-IMAP __ Affected

Updated: May 13, 2009

Statement Date: May 12, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here’s a function prototype from include/saslutil.h to clarify my explanation:

/* base64 encode

  • in – input data
  • inlen – input data length
  • out – output buffer (will be NUL terminated)
  • outmax – max size of output buffer
  • result:
  • outlen – gets actual length of output buffer (optional)
  • Returns SASL_OK on success, SASL_BUFOVER if result won’t fit
    */
    LIBSASL_API int sasl_encode64(const char *in, unsigned inlen,
    char *out, unsigned outmax,
    unsigned *outlen);

Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the
buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable.

Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER.

Gentoo Linux Affected

Notified: April 28, 2009 Updated: May 20, 2009

Statement Date: May 20, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

Red Hat, Inc. Affected

Notified: April 28, 2009 Updated: May 14, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. Affected

Notified: April 28, 2009 Updated: May 14, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Affected

Notified: April 28, 2009 Updated: May 15, 2009

Statement Date: May 15, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SafeNet Not Affected

Notified: May 13, 2009 Updated: June 15, 2009

Statement Date: June 09, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: May 18, 2009 Updated: May 18, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified: April 28, 2009 Updated: April 28, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 25 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to James Ralston for reporting this issue and providing technical information.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2009-0688
Severity Metric: 4.04 Date Public:

Related

openvas 38
nessus 26
prion 1
oraclelinux 1
gentoo 1
f5 2
debian 1
centos 1
freebsd 1
slackware 1
redhat 1
veracode 1
ubuntucve 1
ubuntu 1
cve 1
debiancve 1
oracle 1
securityvulns 1
threatpost 1
openvas
openvas
SLES11: Security update for cyrus-sasl
2009-10-11 00:00:00
Solaris Update for libsasl.so.1 141930-01
2009-10-13 00:00:00
Cyrus SASL Remote Buffer Overflow Vulnerability
2009-05-28 00:00:00
nessus
nessus
Solaris 5.10 (x86) : 119346-07
2007-06-08 00:00:00
Solaris 10 (x86) : 141931-01
2018-03-12 00:00:00
GLSA-200907-09 : Cyrus-SASL: Execution of arbitrary code
2009-07-13 00:00:00
prion
prion
Buffer overflow
2009-05-15 15:30:00
oraclelinux
oraclelinux
cyrus-imapd security update
2009-06-18 00:00:00
gentoo
gentoo
Cyrus-SASL: Execution of arbitrary code
2009-07-12 00:00:00
f5
f5
SOL15652 - SASL vulnerability CVE-2009-0688
2014-10-02 00:00:00
K15652 : SASL vulnerability CVE-2009-0688
2014-10-02 00:00:00
debian
debian
[SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution
2009-06-01 12:44:20
centos
centos
cyrus security update
2009-06-19 09:47:45
freebsd
freebsd
cyrus-sasl -- buffer overflow vulnerability
2009-04-08 00:00:00
slackware
slackware
cyrus-sasl
2009-05-14 17:07:08
redhat
redhat
(RHSA-2009:1116) Important: cyrus-imapd security update
2009-06-18 00:00:00
veracode
veracode
Privilege Escalation
2020-04-10 00:34:33
ubuntucve
ubuntucve
CVE-2009-0688
2009-05-15 00:00:00
ubuntu
ubuntu
Cyrus SASL vulnerability
2009-06-24 00:00:00
cve
cve
CVE-2009-0688
2009-05-15 15:30:00
debiancve
debiancve
CVE-2009-0688
2009-05-15 15:30:00
oracle
oracle
Security | Oracle Critical Patch Update - April 2010
2010-04-13 00:00:00
securityvulns
securityvulns
Oracle / Sun applications multiple security ulnerabilities
2010-04-17 00:00:00
threatpost
threatpost
Apple Mega Patch Covers 88 Mac OS X Vulnerabilities
2010-03-29 17:15:44

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.407 Medium

EPSS

Percentile

97.3%

JSON
Related for VU:238019
openvas38nessus26prion1oraclelinux1gentoo1f52debian1centos1freebsd1slackware1redhat1veracode1ubuntucve1ubuntu1cve1debiancve1oracle1securityvulns1threatpost1