-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 2004-01-19 affected version(s): amavis-0.2.x, amavis-0.3.x, amavisd (all versions) below amavisd-new-20021116 (please see further on for details) amavis-ng may be not affected (see further on for details) Vulnerability Type: special-crafted compressed file(s) may cause heavy server load or even DoS Priority: urgent Solution: amavis-0.2.x, amavis-0.3.x, amavisd: still pending amavisd-new: use limit settings amavis-ng: use limit settings Author: Rainer Link Mark Martinec Hilko Bengen Advisory ID: ASA-2004-1 Contact: security@amavis.org - ---------------------------------------------------------------------------- 1. Problem description Special-crafted (small) compressed files may grew very large during decompressing, e.g. the so-called bzip2 bomb as shown by Dr. Peter Bieringer and others. This may eat up all available disk space and lead to denial-of-service (DoS) of the mail service. Targets of a mail bomb are content checking mailers and virus scanners, not end-users directly. This kind of attack is similar to the so-called 42.zip problem, but details are different. 2. Impact Heavy server load or resource (CPU, disk) usage; possible DoS of mail service. 3. Solution * amavis 0.2.x: * amavis 0.3.x: * amavisd: Neither a solution nor a workaround is currently known. * amavis-ng AMaViS-ng counts files and bytes as it writes them out. It aborts if the configured limits are reached. For details see the settings in the [security] section of amavis.conf, esp. the maxspace setting. By default, the limits are set to 20 levels extraction depth, 1000 files, 30MByte storage. These values are checked by every decompressor. * amavisd-new: The following applies to amavisd-new-20021116 and later (refined in detail with amavisd-new-20030616): amavisd-new provides protection against several forms of mail bombs, including the 42.zip and bzip2 bombs. The following list describes protection mechanisms for each type of supported archive or compression method: .Z (compress), .gz (gzip), .bz and .bz2 (bzip2), .arc (arc, nomarch), .zoo (zoo), .F (freeze), .lzo (lzop), .lha: not vulnerable. Reads on pipe from external program are terminated if allowed size is exceeded; .zip and .gz (Compress::Zlib fallback in the absence of external program): not vulnerable. Archive::Zip::readChunk as well as Compress::Zlib::gzread read chunk by chunk until allowed size is exceeded, then further reading is aborted; .rar (rar or unrar): sum of original archive member sizes is compared to the allowed size; extraction is not performed if the allowed size would be exceeded; .arj (arj or unarj): a patch is available to provide the same protection mechanism as with rar archives, and will be incorporated in amavisd-new-20030616-p8. The program arj is recommended over unarj as it provides substantially richer set of options and is likely to provide a better protection against malicious archive contents; tar, cpio, rpm, tnef, uuencode, xxencode, BinHex, MIME (Base64, QP): these formats do not provide substantial compression mechanisms and are not a vector in mail bomb DoS attack. Parameters to the calculation of allowed size are described in the 'Section VI - Resource limits' in amavisd.conf. The default values rarely need modification. When allowed size is exceeded, the following occurs: virus scanning is bypassed, and a header field X-Amavis-Hold is inserted, e.g.: X-Amavis-Hold: Exceeded storage quota 473500 bytes by run_command_copy; last chunk 16384 bytes Temporary files are preserved to enable their later examination, and mail is passed. Depending on MTA configuration (header filter), the mail may be placed on hold, discarded, rejected, or just passed. Depending on the policy, it may be prudent to configure MTA to hold or reject such messages. See README.postfix, search for 'hold'. As a general advice against mail bomb DoS attacks, it is recommended that the temporary working area ($TEMPBASE) is located on a disk partition that is limited in size to some comfortable size, but is not unnecessarily huge. This working area may reside on a temporary file system. Due to the design of the system no mail loss can occur even if this file system is lost. For further security considerations regarding amavisd-new, please see: http://www.ijs.si/software/amavisd/#sec In particular: if there are any security vulnerabilities in any of the external programs and Perl modules, they may be triggered when message decoding or checking is attempted. The extent of damage is limited to the user under which amavisd process is running (not root), and may be further reduced by running amavisd-new in a chroot jail. 4. Acknowledgment We would like to thank Dr. Peter Bieringer for bringing this issue to our attention. 5. References http://www.aerasec.de/security/advisories/bzip2bomb-antivirusengines.html http://marc.theaimsgroup.com/?l=full-disclosure&m=107367239906967&w=2 http://lists.netsys.com/pipermail/full-disclosure/2003-August/009255.html http://www.amavis.org/security/ 6. Revision History 2004-01-19: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFADFe6mxoFTBO0QHkRAjfBAJ9DwcMZ/nxYn2iHU5iBkWqegiFRwgCfdLM3 t2fUkfx7Zs3Q4/B8QAbPS/A= =pfPY -----END PGP SIGNATURE-----