CVE-2009-0688
published 2009-05-15CVE-2009-0688: Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service…
PriorityP339high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
8.21%
94.2th percentile
Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.
Affected
47 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| carnegie_mellon_university | cyrus-sasl | <= 2.1.22 | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
| carnegie_mellon_university | cyrus-sasl | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pjpw-9mvc-5cwc: Multiple buffer overflows in the CMU Cyrus SASL library before 2
ghsa_unreviewed·2022-05-03
CVE-2009-0688 [HIGH] CWE-119 GHSA-pjpw-9mvc-5cwc: Multiple buffer overflows in the CMU Cyrus SASL library before 2
Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.
OSV
CVE-2009-0688: Multiple buffer overflows in the CMU Cyrus SASL library before 2
osv·2009-05-15·CVSS 7.5
CVE-2009-0688 [HIGH] CVE-2009-0688: Multiple buffer overflows in the CMU Cyrus SASL library before 2
Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.
Ubuntu
Cyrus SASL vulnerability
vendor_ubuntu·2009-06-24
CVE-2009-0688 Cyrus SASL vulnerability
Title: Cyrus SASL vulnerability
Summary: Cyrus SASL vulnerability
James Ralston discovered that the Cyrus SASL base64 encoding function
could be used unsafely. If a remote attacker sent a specially crafted
request to a service that used SASL, it could lead to a loss of privacy,
or crash the application, resulting in a denial of service.
Instructions: After a standard system upgrade you need to restart services using SASL
to effect the necessary changes.
Debian
CVE-2009-0688: cyrus-sasl2 - Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allo...
vendor_debian·2009·CVSS 7.5
CVE-2009-0688 [HIGH] CVE-2009-0688: cyrus-sasl2 - Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allo...
Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.
Scope: local
bookworm: resolved (fixed in 2.1.23.dfsg1-1)
bullseye: resolved (fixed in 2.1.23.dfsg1-1)
forky: resolved (fixed in 2.1.23.dfsg1-1)
sid: resolved (fixed in 2.1.23.dfsg1-1)
trixie: resolved (fixed in 2.1.23.dfsg1-1)
Red Hat
cyrus-sasl: sasl_encode64() does not reliably null-terminate its output
vendor_redhat·2008-05-15·CVSS 7.5
CVE-2009-0688 [HIGH] cyrus-sasl: sasl_encode64() does not reliably null-terminate its output
cyrus-sasl: sasl_encode64() does not reliably null-terminate its output
Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.
Statement: The upstream fix for this issue is not backwards compatible and introduces an ABI change not allowed in Red Hat Enterprise Linux. Therefore, there is no plan to address this problem directly in cyrus-sasl packages.
All applications shipped in Red Hat Enterprise Linux and using affected sasl_encode64() function were investigated and patched if their use of the function could have security consequences. See following bug report for further details: https:
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-0688 cyrus-imapd uses sasl_encode64() improperly
bugzilla·2009-06-04·CVSS 7.5
CVE-2009-0688 [HIGH] CVE-2009-0688 cyrus-imapd uses sasl_encode64() improperly
CVE-2009-0688 cyrus-imapd uses sasl_encode64() improperly
An issue was reported in how cyrus-sasl did not reliably terminate its output from the sasl_encode64() function. During an audit of programs that use sasl_encode64(), it was found that cyrus-imapd just allocates a large output buffer without any appropriate checks against the size of the input buffer. The strings in question are not used for anything odd; they are simply copied elsewhere. This means that we are going to see a crash, leaking some memory to the server, or auth failures.
More information on the issue as originally reported against cyrus-sasl (CVE-2009-0688) is available in bug #487251.
Discussion:
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2
Bugzilla
sendmail may use sasl_encode64() improperly
bugzilla·2009-06-04·CVSS 7.5
[HIGH] sendmail may use sasl_encode64() improperly
sendmail may use sasl_encode64() improperly
An issue was reported in how cyrus-sasl did not reliably terminate its output from the sasl_encode64() function. During an audit of programs that use sasl_encode64(), it was found that sendmail has some questionable uses in sendmail/usersmtp.c, where it just allocates a large output buffer without any appropriate checks against the size of the input buffer. The strings in question are not used for anything odd; they are simply copied elsewhere. This means that we are going to see a crash, leaking some memory to the server, or auth failures.
More information on the issue as originally reported against cyrus-sasl (CVE-2009-0688) is available in bug #487251.
Discussion:
For the sake of completeness - in sendmail, sasl_encode64() is also used in
Bugzilla
CVE-2009-0688 cyrus-sasl: sasl_encode64() does not reliably null-terminate its output
bugzilla·2009-02-25·CVSS 7.5
CVE-2009-0688 [HIGH] CVE-2009-0688 cyrus-sasl: sasl_encode64() does not reliably null-terminate its output
CVE-2009-0688 cyrus-sasl: sasl_encode64() does not reliably null-terminate its output
Ok, I tracked down the problem with imtest.
The problem is that imtest is calling sasl_encode64() (from cyrus-sasl) to base64-encode the data before sending it to the server, but is telling sasl_encode64() that the buffer size into which it should place the encoded data is 2048 bytes long.
Look at the call to sasl_encode64() in auth_sasl() to see what I mean:
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/cyrus/imtest/imtest.c?rev=HEAD
sasl_encode64() calculates that the encoded data would be greater than 2048 bytes, and returns SASL_BUFOVER.
The solution is to replace "2048" with "(unsigned) sizeof(inbase64)".
However, while investigating this problem I took a close look at sasl_encode64()
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.23.tar.gzhttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.htmlhttp://osvdb.org/54514http://osvdb.org/54515http://secunia.com/advisories/35094http://secunia.com/advisories/35097http://secunia.com/advisories/35102http://secunia.com/advisories/35206http://secunia.com/advisories/35239http://secunia.com/advisories/35321http://secunia.com/advisories/35416http://secunia.com/advisories/35497http://secunia.com/advisories/35746http://secunia.com/advisories/39428http://security.gentoo.org/glsa/glsa-200907-09.xmlhttp://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.448834http://sunsolve.sun.com/search/document.do?assetkey=1-66-259148-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-264248-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-273910-1http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020755.1-1http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021699.1-1http://support.apple.com/kb/HT4077http://support.avaya.com/elmodocs2/security/ASA-2009-184.htmhttp://wiki.rpath.com/wiki/Advisories:rPSA-2009-0091http://www.debian.org/security/2009/dsa-1807http://www.kb.cert.org/vuls/id/238019http://www.mandriva.com/security/advisories?name=MDVSA-2009:113http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1116.htmlhttp://www.securityfocus.com/bid/34961http://www.securitytracker.com/id?1022231http://www.ubuntu.com/usn/usn-790-1http://www.us-cert.gov/cas/techalerts/TA10-103B.htmlhttp://www.vupen.com/english/advisories/2009/1313http://www.vupen.com/english/advisories/2009/2012https://exchange.xforce.ibmcloud.com/vulnerabilities/50554https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10687https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6136ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.23.tar.gzhttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.htmlhttp://osvdb.org/54514http://osvdb.org/54515http://secunia.com/advisories/35094http://secunia.com/advisories/35097http://secunia.com/advisories/35102http://secunia.com/advisories/35206http://secunia.com/advisories/35239http://secunia.com/advisories/35321http://secunia.com/advisories/35416http://secunia.com/advisories/35497http://secunia.com/advisories/35746http://secunia.com/advisories/39428http://security.gentoo.org/glsa/glsa-200907-09.xmlhttp://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.448834http://sunsolve.sun.com/search/document.do?assetkey=1-66-259148-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-264248-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-273910-1http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020755.1-1http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021699.1-1http://support.apple.com/kb/HT4077http://support.avaya.com/elmodocs2/security/ASA-2009-184.htmhttp://wiki.rpath.com/wiki/Advisories:rPSA-2009-0091http://www.debian.org/security/2009/dsa-1807http://www.kb.cert.org/vuls/id/238019http://www.mandriva.com/security/advisories?name=MDVSA-2009:113http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1116.htmlhttp://www.securityfocus.com/bid/34961http://www.securitytracker.com/id?1022231http://www.ubuntu.com/usn/usn-790-1http://www.us-cert.gov/cas/techalerts/TA10-103B.htmlhttp://www.vupen.com/english/advisories/2009/1313http://www.vupen.com/english/advisories/2009/2012https://exchange.xforce.ibmcloud.com/vulnerabilities/50554https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10687https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6136
2009-05-15
Published