CVE-2003-0688

Current Description

The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data.

Basic Data

PublishedOctober 20, 2003
Last ModifiedMay 03, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-Other
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score5.0
SeverityMEDIUM
Exploitability Score10.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatSendmail8.12.5-7*i386*****
    2.3ApplicationRedhatSendmail8.12.5-7*i386_cf*****
    2.3ApplicationRedhatSendmail8.12.5-7*i386_dev*****
    2.3ApplicationRedhatSendmail8.12.5-7*i386_doc*****
    2.3ApplicationRedhatSendmail8.12.8-4*i386*****
    2.3ApplicationRedhatSendmail8.12.8-4*i386_cf*****
    2.3ApplicationRedhatSendmail8.12.8-4*i386_dev*****
    2.3ApplicationRedhatSendmail8.12.8-4*i386_doc*****
    2.3ApplicationSendmailSendmail8.12.1*******
    2.3ApplicationSendmailSendmail8.12.2*******
    2.3ApplicationSendmailSendmail8.12.3*******
    2.3ApplicationSendmailSendmail8.12.4*******
    2.3ApplicationSendmailSendmail8.12.5*******
    2.3ApplicationSendmailSendmail8.12.6*******
    2.3ApplicationSendmailSendmail8.12.7*******
    2.3ApplicationSendmailSendmail8.12.8*******
    2.3OSSgiIrix6.5.19*******
    2.3OSSgiIrix6.5.20*******
    2.3OSSgiIrix6.5.21*******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCompaqTru645.0a*******
    2.3OSCompaqTru645.1*******
    2.3OSFreebsdFreebsd4.6*******
    2.3OSFreebsdFreebsd4.7*******
    2.3OSFreebsdFreebsd4.8*******
    2.3OSFreebsdFreebsd5.0*******
    2.3OSOpenbsdOpenbsd3.2*******

Vulnerable Software List

VendorProductVersions
Sendmail Sendmail 8.12.1, 8.12.2, 8.12.3, 8.12.4, 8.12.5, 8.12.6, 8.12.7, 8.12.8
Freebsd Freebsd 4.6, 4.7, 4.8, 5.0
Openbsd Openbsd 3.2
Redhat Sendmail 8.12.5-7, 8.12.8-4
Sgi Irix 6.5.19, 6.5.20, 6.5.21
Compaq Tru64 5.0a, 5.1

References

NameSourceURLTags
20030803-01-Pftp://patches.sgi.com/support/free/security/advisories/20030803-01-PSGI
CLA-2003:727http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000727CONECTIVA
VU#993452http://www.kb.cert.org/vuls/id/993452CERT-VNUS Government Resource
MDKSA-2003:086http://www.mandriva.com/security/advisories?name=MDKSA-2003:086MANDRAKE
SuSE-SA:2003:035http://www.novell.com/linux/security/advisories/2003_035_sendmail.htmlSUSE
RHSA-2003:265http://www.redhat.com/support/errata/RHSA-2003-265.htmlREDHATPatch Vendor Advisory
http://www.sendmail.org/dnsmap1.htmlhttp://www.sendmail.org/dnsmap1.htmlCONFIRM
oval:org.mitre.oval:def:597https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A597OVAL