ID CVE-2006-4434
Summary Use-after-free vulnerability in Sendmail before 8.13.8 allows remote attackers to cause a denial of service (crash) via a long "header line", which causes a previously freed variable to be referenced. NOTE: the original developer has disputed the severity of this issue, saying "The only denial of service that is possible here is to fill up the disk with core dumps if the OS actually generates different core dumps (which is unlikely)... the bug is in the shutdown code (finis()) which leads directly to exit(3), i.e., the process would terminate anyway, no mail delivery or receiption is affected."
References
Vulnerable Configurations
  • Sendmail Sendmail 4.1
    cpe:2.3:a:sendmail:sendmail:4.1
  • cpe:2.3:a:sendmail:sendmail:4.55
    cpe:2.3:a:sendmail:sendmail:4.55
  • cpe:2.3:a:sendmail:sendmail:5.59
    cpe:2.3:a:sendmail:sendmail:5.59
  • cpe:2.3:a:sendmail:sendmail:5.61
    cpe:2.3:a:sendmail:sendmail:5.61
  • cpe:2.3:a:sendmail:sendmail:5.65
    cpe:2.3:a:sendmail:sendmail:5.65
  • Sendmail Sendmail 8.10
    cpe:2.3:a:sendmail:sendmail:8.10
  • Sendmail Sendmail 8.10.1
    cpe:2.3:a:sendmail:sendmail:8.10.1
  • Sendmail Sendmail 8.10.2
    cpe:2.3:a:sendmail:sendmail:8.10.2
  • Sendmail Sendmail 8.11
    cpe:2.3:a:sendmail:sendmail:8.11.0
  • Sendmail Sendmail 8.11.1
    cpe:2.3:a:sendmail:sendmail:8.11.1
  • Sendmail Sendmail 8.11.2
    cpe:2.3:a:sendmail:sendmail:8.11.2
  • Sendmail Sendmail 8.11.3
    cpe:2.3:a:sendmail:sendmail:8.11.3
  • Sendmail Sendmail 8.11.4
    cpe:2.3:a:sendmail:sendmail:8.11.4
  • Sendmail Sendmail 8.11.5
    cpe:2.3:a:sendmail:sendmail:8.11.5
  • Sendmail Sendmail 8.11.6
    cpe:2.3:a:sendmail:sendmail:8.11.6
  • Sendmail Sendmail 8.11.7
    cpe:2.3:a:sendmail:sendmail:8.11.7
  • Sendmail Sendmail 8.12.0
    cpe:2.3:a:sendmail:sendmail:8.12.0
  • Sendmail Sendmail 8.12.1
    cpe:2.3:a:sendmail:sendmail:8.12.1
  • Sendmail Sendmail 8.12.10
    cpe:2.3:a:sendmail:sendmail:8.12.10
  • Sendmail Sendmail 8.12.11
    cpe:2.3:a:sendmail:sendmail:8.12.11
  • Sendmail Sendmail 8.12.2
    cpe:2.3:a:sendmail:sendmail:8.12.2
  • Sendmail Sendmail 8.12.3
    cpe:2.3:a:sendmail:sendmail:8.12.3
  • Sendmail Sendmail 8.12.4
    cpe:2.3:a:sendmail:sendmail:8.12.4
  • Sendmail Sendmail 8.12.5
    cpe:2.3:a:sendmail:sendmail:8.12.5
  • Sendmail Sendmail 8.12.6
    cpe:2.3:a:sendmail:sendmail:8.12.6
  • Sendmail Sendmail 8.12.7
    cpe:2.3:a:sendmail:sendmail:8.12.7
  • Sendmail Sendmail 8.12.8
    cpe:2.3:a:sendmail:sendmail:8.12.8
  • Sendmail Sendmail 8.12.9
    cpe:2.3:a:sendmail:sendmail:8.12.9
  • Sendmail Sendmail 8.12 Beta10
    cpe:2.3:a:sendmail:sendmail:8.12:beta10
  • Sendmail Sendmail 8.12 Beta12
    cpe:2.3:a:sendmail:sendmail:8.12:beta12
  • Sendmail Sendmail 8.12 Beta16
    cpe:2.3:a:sendmail:sendmail:8.12:beta16
  • Sendmail Sendmail 8.12 Beta5
    cpe:2.3:a:sendmail:sendmail:8.12:beta5
  • Sendmail Sendmail 8.12 beta7
    cpe:2.3:a:sendmail:sendmail:8.12:beta7
  • Sendmail Sendmail 8.13.3
    cpe:2.3:a:sendmail:sendmail:8.13.3
  • Sendmail Sendmail 8.13.4
    cpe:2.3:a:sendmail:sendmail:8.13.4
  • Sendmail Sendmail 8.13.5
    cpe:2.3:a:sendmail:sendmail:8.13.5
  • Sendmail Sendmail 8.13.6
    cpe:2.3:a:sendmail:sendmail:8.13.6
  • Sendmail Sendmail 8.13.7
    cpe:2.3:a:sendmail:sendmail:8.13.7
  • Sendmail Sendmail 8.8.8
    cpe:2.3:a:sendmail:sendmail:8.8.8
  • Sendmail Sendmail 8.9.0
    cpe:2.3:a:sendmail:sendmail:8.9.0
  • Sendmail Sendmail 8.9.1
    cpe:2.3:a:sendmail:sendmail:8.9.1
  • Sendmail Sendmail 8.9.2
    cpe:2.3:a:sendmail:sendmail:8.9.2
  • Sendmail Sendmail 8.9.3
    cpe:2.3:a:sendmail:sendmail:8.9.3
CVSS
Base: 5.0 (as of 30-08-2006 - 08:25)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_125011.NASL
    description SunOS 5.10: sendmail patch. Date this patch was last updated by Sun : Jan/29/07
    last seen 2018-09-02
    modified 2018-08-13
    plugin id 24380
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24380
    title Solaris 10 (sparc) : 125011-01
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_125012.NASL
    description SunOS 5.10_x86: sendmail patch. Date this patch was last updated by Sun : Jan/29/07
    last seen 2018-09-01
    modified 2018-08-13
    plugin id 24392
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24392
    title Solaris 10 (x86) : 125012-01
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_125011-01.NASL
    description SunOS 5.10: sendmail patch. Date this patch was last updated by Sun : Jan/29/07
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 107413
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107413
    title Solaris 10 (sparc) : 125011-01
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SENDMAIL-2030.NASL
    description Without this update sendmail may crash when finishing a mail due to referencing an already freed variable. (CVE-2006-4434)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29579
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29579
    title SuSE 10 Security Update : sendmail (ZYPP Patch Number 2030)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_11200.NASL
    description Without this update sendmail may crash when finishing a mail due to referencing an already freed variable. (CVE-2006-4434)
    last seen 2019-02-21
    modified 2012-04-23
    plugin id 41098
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41098
    title SuSE9 Security Update : sendmail (YOU Patch Number 11200)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1164.NASL
    description A programming error has been discovered in sendmail, an alternative mail transport agent for Debian, that could allow a remote attacker to crash the sendmail process by sending a specially crafted email message. Please note that in order to install this update you also need libsasl2 library from proposed updates as outlined in DSA 1155-2.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22706
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22706
    title Debian DSA-1164-1 : sendmail - programming error
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_X86_114137.NASL
    description SunOS 5.9_x86: sendmail Patch. Date this patch was last updated by Sun : Mar/04/08
    last seen 2018-09-02
    modified 2014-08-30
    plugin id 13592
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13592
    title Solaris 9 (x86) : 114137-10
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SENDMAIL-2027.NASL
    description Without this update sendmail may crash when finishing a mail due to referencing an already freed variable (CVE-2006-4434).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27446
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27446
    title openSUSE 10 Security Update : sendmail (sendmail-2027)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-156.NASL
    description Moritz Jodeit discovered a vulnerability in sendmail when processing very long header lines that could be exploited to cause a Denial of Service by crashing sendmail. The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 23900
    published 2006-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23900
    title Mandrake Linux Security Advisory : sendmail (MDKSA-2006:156)
  • NASL family SMTP problems
    NASL id SENDMAIL_8_13_8.NASL
    description The remote mail server is running a version of Sendmail earlier than 8.13.8. Such versions are reportedly affected by a use-after-free flaw that may allow an attacker to crash the server.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 17724
    published 2011-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17724
    title Sendmail < 8.13.8 Header Processing Overflow DoS
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_125012-01.NASL
    description SunOS 5.10_x86: sendmail patch. Date this patch was last updated by Sun : Jan/29/07
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 107916
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107916
    title Solaris 10 (x86) : 125012-01
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_113575.NASL
    description SunOS 5.9: sendmail patch. Date this patch was last updated by Sun : Feb/05/08
    last seen 2018-09-02
    modified 2014-08-30
    plugin id 13541
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13541
    title Solaris 9 (sparc) : 113575-11
refmap via4
bid 19714
confirm http://www.sendmail.org/releases/8.13.8.html
debian DSA-1164
mandriva MDKSA-2006:156
openbsd
  • [3.8] 20060825 010: SECURITY FIX: August 25, 2006
  • [3.9] 20060825 005: SECURITY FIX: August 25, 2006
osvdb 28193
sectrack 1016753
secunia
  • 21637
  • 21641
  • 21696
  • 21700
  • 21749
  • 22369
sunalert 102664
suse SUSE-SR:2006:021
vim 20060829 Sendmail vendor dispute - CVE-2006-4434 (fwd)
vupen
  • ADV-2006-3393
  • ADV-2006-3994
statements via4
contributor Mark J Cox
lastmodified 2006-08-30
organization Red Hat
statement This flaw causes a crash but does not result in a denial of service against Sendmail and is therefore not a security issue.
Last major update 10-03-2011 - 00:00
Published 28-08-2006 - 20:04
Back to Top