-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                        AMaViS Security Announcement

Date:                   2007-05-17
affected version(s):    amavis, amavisd, amavisd-new, amavis-ng 
Vulnerability:		ZOO archive decompression infinite loop DoS
Priority:               urgent
Solution:		update zoo / disable (un)zoo utility
References:		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669 
			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673
Author:                 Mark Martinec <Mark.Martinec@ijs.si>
			Rainer Link <rainer@openantivirus.org>
Advisory ID:            ASA-2007-2
Contact:                security@amavis.org
WWW:			http://www.amavis.org/security/

- -----------------------------------------------------------------------------

0. Preface
As amavisd-new (http://www.ijs.si/software/amavisd/) is currently the
only maintained AMaViS branch, most of the following refers to
amavisd-new. 


1. Problem description
A ZOO archive decompression infinite loop DoS has been discovered
by Jean-Sebastien Guay-Leroux.


2. Impact
All branches of AMaViS are able to call external zoo decoder if it
is available and enabled, including amavisd-new, amavisd-snapshot,
amavis-perl and amavis-ng. When given a specially crafted zoo archive,
its decoding can consume all available CPU resources, bringing mail
processing to a standstill. Whether the impact is temporary or permanent
(until operator intervention) depends on a branch and version of amavis.

Versions of amavisd-new 2.4.1 and older, and branches amavisd-snapshot,
amavis-perl and amavis-ng are particularly affected by this vulnerability
as they offer no timing or other protection against a runaway zoo decoder.
The process will eventually reach a virtual memory quota and crash,
leaving mail in a MTA queue for a later retry. Although mail processing
will automatically resume by another process, repeated attempts at
checking of problematic mail messages will consume most resources,
requiring operator intervention to resume normal mail flow by removing
problem messages from a MTA queue.

Versions of amavisd-new 2.4.2 and later provide a time limit to external
decoding programs, killing them after about 2/3 of a time setting in a
$child_timeout configuration variable, which amounts to about 5 minutes
of elapsed time by default. When decoding times out, zoo archive is
treated as atomic and normal checks resume, including anti-virus and
anti-spam checks, and mail eventually passes (or is blocked in case of
malware). The event consumes about 5 minutes of CPU time, so when just
an occasional malicious mail with a zoo archive if received the impact
is a temporary slowdown in mail processing. A dedicated attack can
have a more significant impact on mail processing throughput.

In addition to a zoo archiver, version of amavisd-new starting with
2.4.2 also support the unzoo dearchiver, although it is affected by
the same vulnerability, and due to some of its other limitations
and lack of maintenance is not recommended.

A future version of amavisd-new 2.5.1 will provide an additional
protection against external runaway decoding programs by enforcing
the $MAXFILES limit already during checking an archive listing, which
will reduce the impact of this particular vulnerability in zoo to a
negligible level, although it may not be able to help with other
types of broken behaviour of external decoders.


3. Solution
If the threat is considered to require a preventive action, either
disable the use of zoo (or unzoo) by amavis, or fix the archiver.

With amavisd-new the use of external zoo or unzoo archivers is disabled
by removing or hiding these programs from being visible to amavisd
and restarting the amavisd process. Alternatively, removing the
zoo entry from a @decoders list or keeping config variable $zoo at
undef also disables its use by amavisd.

Other branches of amavis require reconfiguration and reinstallation
to disable the use of a zoo archiver.

o zoo-2.10 - CVE-2007-1669:
  A patch for version 2.10 is provided in section VII of the original
  zoo advisory.

o unzoo.c - CVE-2007-1673:
  This software is not maintained anymore.  No patch is provided
  for this software.


4. Acknowledgement
Credits to Jean-Sebastien Guay-Leroux.


5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673
http://www.guay-leroux.com/projects/zoo-infinite-advisory.txt
http://www.amavis.org/security/


6. Revision history
2007-05-17: initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.14 (GNU/Linux)

iD8DBQFGTClOmxoFTBO0QHkRAvvBAKC170upZb3g5ExppU8VVyxRBmbooACgqrhd
t/2f9DeRyc2L425k0uEHs6s=
=MlbI
-----END PGP SIGNATURE-----