Summary: An attacker that can predict when a milter will need to quiesce input to allow for a reload may hold open an SMTP session for several hours. This will lead to a DoS condition on the mailserver. Background: Sendmail is a popular Mail Transfer Agent (MTA), used in many large sites that require advanced functionality. One feature is that it is extensible through the use of the milter (Mail fILTER) interface. The milter paradigm allows external programs to influence the SMTP session, including rejecting messages based on content. ClamAV is an opensource antivirus program. Unlike commercial solutions, ClamAV takes advantage of community support to acquire virus samples, and therefore can provide signatures for new threats very quickly. In a typical installation, checks for database updates occur every 15 minutes, making uncaught viruses extremely rare. ClamAV comes with a sendmail plugin, clamav-milter, that allows administrators to reject viruses during the SMTP session. Discussion: Some milters require a periodic reload of application data. A simple strategy is to quiesce input (by rejecting connections and waiting for current connections to terminate). Once the connection count drops to zero the reload can take place. Unfortunately, the long default timeouts in sendmail allow a slow sender to keep an SMTP session open for several hours. If the milter is rejecting new connections during this time, the milter on the mailserver is effectively DoSed. Furthermore, if sendmail is configured to require all messages to be scanned by the milter, the DoS may extend to include all mail delivery. As an example, clamav-milter versions 0.84 through 0.85d force the number of child threads to 0 before reloading the antivirus database. When a database update has been made available, an attacker can initiate an SMTP session with a vulnerable server, and simply keep the connection open as long as possible (several hours). The milter will be unable to reload, and (depending on configuration) sendmail may be unable to accept incoming messages. It is therefore possible for an attacker to DoS a mailserver with a single persistent connection. This issue was fixed in clamav-milter 0.85e, which scans new connections with the new database, and keeps the old database until it is finished scanning pre-existing connections. All users of clamav-milter are encouraged to upgrade to clamav-0.86. Those who cannot upgrade soon can mitigate the threat through one or more of the following strategies: - reduce the sendmail timeouts (reduces timespan of potential DoS) - run clamav-milter in --external mode (eliminates possibility of DoS) - run clmilter_watch after freshclam (recovers from an existing DoS) Notes: This threat is not particular to clamav-milter. Any milter that needs to wait for (or force) a quiescent state to reload data files is likely to be vulnerable to a similar attack. Sources of above-mentioned software: - Sendmail MTA : http://www.sendmail.org/ - Clam AntiVirus: http://www.clamav.net/ - clmilter_watch: http://www.itg.uiuc.edu/itg_software/clmilter_watch/ Timeline: May 25, 2005: clamav-milter author informed of the details of the attack May 27, 2005: Vulnerability eliminated in CVS (clamav-milter 0.85e) Jun 14, 2005: Release candidate of patched version (ClamAV 0.86rc1) Jun 20, 2005: Official release of patched version (ClamAV 0.86) Jun 23, 2005: Public disclosure Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <menscher@xxxxxxxx> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=-
