cbcvebase.
CVE-2003-0540
published 2003-08-27

CVE-2003-0540: The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a…

PriorityP425medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
21.26%
97.3th percentile
The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.

Affected

14 ranges
VendorProductVersion rangeFixed in
conectivalinux
conectivalinux
debianpostfix< postfix 1.1.12 (bookworm)postfix 1.1.12 (bookworm)
postfixpostfix>= 0 < 1.1.121.1.12
postfixpostfix>= 0 < 1.1.121.1.12
postfixpostfix>= 0 < 1.1.121.1.12
postfixpostfix>= 0 < 1.1.121.1.12
wietse_venemapostfix
wietse_venemapostfix
wietse_venemapostfix
wietse_venemapostfix
wietse_venemapostfix
wietse_venemapostfix
wietse_venemapostfix

Detection & IOCsextracted from sources · hover to see the quote

commandmail from: <.!foo@bar>
commandrcpt to: <.!foo@bar>
other.!
  • Inspect SMTP MAIL FROM and Errors-To header values for the literal string '.!' — its presence in an envelope address triggers the Postfix address parser lock-up in nqmgr.
  • Inspect SMTP RCPT TO values for the literal string '.!' — a valid MAIL FROM paired with a RCPT TO containing '.!' locks up the SMTP listener process.
  • Monitor the Postfix queue manager process (nqmgr) for unexpected lock-up or hang state; a locked nqmgr requires manual removal of the offending message from the queue.
  • Alert on SMTP sessions to port 25 that send a MAIL FROM containing a bare '.!' token followed by a RCPT TO, as demonstrated by the public PoC exploits targeting Postfix 1.1.12 and earlier.
  • ·Two distinct attack vectors exist: (1) malformed envelope address in MAIL FROM / Errors-To locking nqmgr, and (2) '.!' in RCPT TO locking the SMTP listener — both must be mitigated.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.