Topic: Deeply nested malformed MIME denial of service attack
Class: Remote Denial of Service
Announced: 2006-06-14 09:00 PDT
Revised: 2006-06-16 09:00 PDT
Credits: Frank Sheiness
Affects: Sendmail Switch 3.2.0
Sendmail Switch for Windows 3.1.3 and earlier
Sendmail Switch 3.1.8 and earlier
Intelligent Quarantine 3.0 (includes Switch)
Sendmail Advanced Message Store (SAMS) (includes Switch)
Sendmail Sentrion 1.5.1 and earlier
Mailstream Gatekeeper (includes Sentrion OS)
Mailstream Governor (includes Sentrion OS)
Sendmail Pro all versions
Resolved: Sendmail Switch 3.2.2
Sendmail Switch for Windows 3.1.4
Sendmail Switch 3.1.9
Sendmail Sentrion 1.5.3
For general information regarding Sendmail, Inc. Security
including descriptions of the fields above, other security advisories,
and the following sections, please visit <http://www.sendmail.com/security/>.
Sendmail Switch and the Sendmail Sentrion appliances include the
sendmail MTA which is used to route mail into and out from an
organization using SMTP. The MTA supports MIME 8-bit to 7-bit
conversion when talking to remote MTAs which do not support 8-bit MIME.
This conversion routine is also used to enforce the MaxMimeHeaderLength
option which protects users from buffer overflows in older versions of
mail user agents.
Note that the open source and vendor versions of the sendmail MTA
are also affected but this advisory only covers the commercial
products. For the open source version, please see the open source
URL in the Reference section below. For third party vendor
versions, please contact your vendor.
II. Problem Description
During message delivery, certain deeply nested malformed MIME messages
can cause the MIME 8-bit to 7-bit conversion routine to exhaust the
per-process stack space memory available and cause that process to
abort. Depending on system configuration, this may also cause a core
dump for that process to be written to disk.
To the best of our knowledge, this type of attack is not currently in
use and the problem was found through a report of an isolated and
unintentional incident. That said, the information contained in this
advisory is now generally known and there may be a higher likelihood of
occurrence. Therefore, Sendmail recommends that you take immediate
The process which exits abnormally is not the server process and will
not cause your system to stop accepting connections, but there are two
problems which can occur due to this bug:
1. If your system writes uniquely named core dump files per process,
there is the potential for disk space to be filled with core dumps.
2. A deeply nested malformed MIME message in the queue will cause
runs to abort when trying to process the message. This can prevent
delivery attempts on other queued messages.
If you are unable to immediately install the patch described in
Solution section below or there is not a patch available for your
version, you can protect your system by using one of these workarounds:
1. The Sendmail Consortium is releasing an open source mail filter
for UNIX systems which blocks messages that may trigger this problem.
For more information on this filter, please see the Sendmail
Knowledge Base article referenced below.
2. If your operating system limits stack size, remove that limit
sendmail's startup. This will make the attack more difficult to
accomplish, as it will require a very large message. Also, by
limiting the maximum message size accepted by your server (via the
sendmail MaxMessageSize option), you can eliminate the attack
To remove the stack size limit, use one of the following commands in
your sendmail startup script (by placing the command in the startup
script, only sendmail should be affected):
ulimit -s unlimited (sh, bash, ksh)
limit stacksize unlimited (csh, tcsh, zsh)
For more information on adjusting stack size limits, please see
Sendmail Knowledge Base article referenced below.
3. Configure your MTA to avoid the negative impacts listed above:
a. Turn off core dumps for sendmail using one of the following
commands in your sendmail startup script (by placing the command
in the startup script, only sendmail should be affected):
ulimit -c 0 (sh, bash, ksh)
limit coredumpsize 0 (csh, tcsh, zsh)
For more information on turning off core dumps, please see the
Sendmail Knowledge Base article referenced below.
b. To prevent queued jobs from being ignored, you can either:
* Enable the ForkEachJob option at the cost of lower queue run
performance and potentially a high number of processes (one per
queued item), or
* Set QueueSortOrder to random, which will randomize the order
jobs are processed. Note that with random queue sorting, the
bad message will still be processed and the queue run aborted
every time, but at a different, random spot.
For more information on changing queue run behavior, please see
the Sendmail Knowledge Base article referenced below.
Sendmail, Inc. has released patches for Sendmail Switch versions 3.1
and 3.2, Sendmail Switch for Windows 3.1, and for Sendmail Sentrion
version 1.5. Those patches are available to supported customers on
their download site at:
If you are unable to use the download site or need the Switch 3.1.9
patch, you can also download it from our ftp site at:
Refer to the README included with each patch for
instructions. The available patches are:
MD5 (smswitch-patch-3.1.9-Linux.tar.gz) =
MD5 (smswitch-patch-3.1.9-Solaris8.tar.Z) = a62a0aef50c561e45a5402a0acd3639a
MD5 (smswitch-patch-3.2.2-Linux.tar.gz) = 3df9df0b99ed7dd427d056ed50f73765
MD5 (smswitch-patch-3.2.2-Solaris8.tar.Z) = c65548178fc5eca4fcbe3bc0c28fb3e0
MD5 (smswitch-patch-3.1.4-Windows.zip) = d863292580b89a704b0692a4d8a6e481
MD5 (SentriOS-1.5.3-896-897.tar) = 8950c0bcc6875d085e094be998454fff
Unsupported customers or those running older product versions
employ one of the workarounds listed above.
SA-200605-01 Frequently Asked
Sendmail Knowledge Base Articles
Using malformed MIME workaround filter on Switch or Sentrion
Changing stack size and core dump options on Switch/Sentrion
Limiting maximum message size on Switch or Sentrion
Changing queue run behavior on Switch or Sentrion
Sendmail Open Source Information
VII. Revision Details
2006-06-16 09:00 PDT: Replaced Switch 3.2.1 with Switch 3.2.2 and
Sentrion 1.5.2 with Sentrion 1.5.3 as the
previous patch versions contained a regression
unrelated to the security fix.