CVE-2003-0540
published 2003-08-27CVE-2003-0540: The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a…
PriorityP425medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
21.26%
97.3th percentile
The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| conectiva | linux | — | — |
| conectiva | linux | — | — |
| debian | postfix | < postfix 1.1.12 (bookworm) | postfix 1.1.12 (bookworm) |
| postfix | postfix | >= 0 < 1.1.12 | 1.1.12 |
| postfix | postfix | >= 0 < 1.1.12 | 1.1.12 |
| postfix | postfix | >= 0 < 1.1.12 | 1.1.12 |
| postfix | postfix | >= 0 < 1.1.12 | 1.1.12 |
| wietse_venema | postfix | — | — |
| wietse_venema | postfix | — | — |
| wietse_venema | postfix | — | — |
| wietse_venema | postfix | — | — |
| wietse_venema | postfix | — | — |
| wietse_venema | postfix | — | — |
| wietse_venema | postfix | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Inspect SMTP MAIL FROM and Errors-To header values for the literal string '.!' — its presence in an envelope address triggers the Postfix address parser lock-up in nqmgr. ↗
- →Inspect SMTP RCPT TO values for the literal string '.!' — a valid MAIL FROM paired with a RCPT TO containing '.!' locks up the SMTP listener process. ↗
- →Monitor the Postfix queue manager process (nqmgr) for unexpected lock-up or hang state; a locked nqmgr requires manual removal of the offending message from the queue. ↗
- →Alert on SMTP sessions to port 25 that send a MAIL FROM containing a bare '.!' token followed by a RCPT TO, as demonstrated by the public PoC exploits targeting Postfix 1.1.12 and earlier. ↗
- ·Two distinct attack vectors exist: (1) malformed envelope address in MAIL FROM / Errors-To locking nqmgr, and (2) '.!' in RCPT TO locking the SMTP listener — both must be mitigated. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2003-08-03·CVSS 5.0
CVE-2003-0540 [MEDIUM] security flaw
security flaw
The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.
Debian
CVE-2003-0540: postfix - The address parser code in Postfix 1.1.12 and earlier allows remote attackers to...
vendor_debian·2003·CVSS 5.0
CVE-2003-0540 [MEDIUM] CVE-2003-0540: postfix - The address parser code in Postfix 1.1.12 and earlier allows remote attackers to...
The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.
Scope: local
bookworm: resolved (fixed in 1.1.12)
bullseye: resolved (fixed in 1.1.12)
forky: resolved (fixed in 1.1.12)
sid: resolved (fixed in 1.1.12)
trixie: resolved (fixed in 1.1.12)
GHSA
GHSA-cgrr-3rc7-3h4r: The address parser code in Postfix 1
ghsa_unreviewed·2022-04-29
CVE-2003-0540 [MEDIUM] GHSA-cgrr-3rc7-3h4r: The address parser code in Postfix 1
The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.
OSV
CVE-2003-0540: The address parser code in Postfix 1
osv·2003-08-27·CVSS 5.0
CVE-2003-0540 [MEDIUM] CVE-2003-0540: The address parser code in Postfix 1
The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.
No detection rules found.
Exploit-DB
Postfix 1.1.x - Denial of Service (2)
exploitdb·2003-08-04
CVE-2003-0540 Postfix 1.1.x - Denial of Service (2)
Postfix 1.1.x - Denial of Service (2)
---
source: https://www.securityfocus.com/bid/8333/info
Debian has reported two vulnerabilities in the Postfix mail transfer agent. The first vulnerability, CAN-2003-0468, can allow for an adversary to "bounce-scan" a private network. It has also been reported that this vulnerability can be exploited to use the server as a distributed denial of service tool. These attacks are reportedly possible through forcing the server to connect to an arbitrary port on an arbitrary host.
The second vulnerability, CAN-2003-0540, is another denial of service. It can be triggered by a malformed envelope address and can cause the queue manager to lock up until the message is removed manually from the queue. It is also reportedly possible to lock the SMTP listener,
Exploit-DB
Postfix 1.1.x - Denial of Service (1)
exploitdb·2003-08-04
CVE-2003-0540 Postfix 1.1.x - Denial of Service (1)
Postfix 1.1.x - Denial of Service (1)
---
// source: https://www.securityfocus.com/bid/8333/info
Debian has reported two vulnerabilities in the Postfix mail transfer agent. The first vulnerability, CAN-2003-0468, can allow for an adversary to "bounce-scan" a private network. It has also been reported that this vulnerability can be exploited to use the server as a distributed denial of service tool. These attacks are reportedly possible through forcing the server to connect to an arbitrary port on an arbitrary host.
The second vulnerability, CAN-2003-0540, is another denial of service. It can be triggered by a malformed envelope address and can cause the queue manager to lock up until the message is removed manually from the queue. It is also reportedly possible to lock the SMTP listene
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000717http://lists.grok.org.uk/pipermail/full-disclosure/2003-August/007693.htmlhttp://marc.info/?l=bugtraq&m=106001525130257&w=2http://marc.info/?l=bugtraq&m=106029188614704&w=2http://secunia.com/advisories/9433http://www.debian.org/security/2003/dsa-363http://www.kb.cert.org/vuls/id/895508http://www.linuxsecurity.com/advisories/engarde_advisory-3517.htmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2003:081http://www.novell.com/linux/security/advisories/2003_033_postfix.htmlhttp://www.redhat.com/support/errata/RHSA-2003-251.htmlhttp://www.securityfocus.com/bid/8333https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A544http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000717http://lists.grok.org.uk/pipermail/full-disclosure/2003-August/007693.htmlhttp://marc.info/?l=bugtraq&m=106001525130257&w=2http://marc.info/?l=bugtraq&m=106029188614704&w=2http://secunia.com/advisories/9433http://www.debian.org/security/2003/dsa-363http://www.kb.cert.org/vuls/id/895508http://www.linuxsecurity.com/advisories/engarde_advisory-3517.htmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2003:081http://www.novell.com/linux/security/advisories/2003_033_postfix.htmlhttp://www.redhat.com/support/errata/RHSA-2003-251.htmlhttp://www.securityfocus.com/bid/8333https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A544
2003-08-27
Published