MailEnable SMTP HELO denial of service

mailenable-smtp-helo-dos (27387) The risk level is classified as LowLow Risk

Description:

MailEnable Enterprise, Professional and Standard editions are vulnerable to a denial of service attack, caused by an unspecified error in the SMTP service. A remote attacker could exploit this vulnerability by sending a specially-crafted HELO command to cause the SMTP service to crash.

Platforms Affected:

  • MailEnable, MailEnable Enterprise Edition
  • MailEnable, MailEnable Professional Edition
  • MailEnable, MailEnable Standard Edition
  • Microsoft, Windows 2000 Professional
  • Microsoft, Windows 2000 Advanced Server
  • Microsoft, Windows 2003 Server Standard
  • Microsoft, Windows 2003 Server Web
  • Microsoft, Windows 2003 Server Enterprise
  • Microsoft, Windows NT 4.0 Server

Remedy:

Apply Hotfix ME-10013, available from the MailEnable Web site. See References.

Consequences:

Denial of Service

References:

  • Full-Disclosure Mailing List, Wed Jun 28 2006 - 01:37:20 CDT, Mailenable SMTP Service DoS at http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0760.html.
  • MailEnable Web site, MailEnable - Hotfix Download Page at http://www.mailenable.com/hotfix/.
  • BID-18630: MailEnable SMTP HELO Command Remote Denial of Service Vulnerability
  • CVE-2006-3277: The SMTP service of MailEnable Standard 1.92 and earlier, Professional 2.0 and earlier, and Enterprise 2.0 and earlier before the MESMTPC hotfix, allows remote attackers to cause a denial of service (application crash) via a HELO command with a null byte in the argument, possibly triggering a length inconsistency or a missing argument.
  • OSVDB ID: 26791: MailEnable SMTP Service HELO Command Remote DoS
  • SA20790: MailEnable SMTP Service HELO Denial of Service
  • SECTRACK ID: 1016376: MailEnable HELO Command Lets Remote Users Deny Service
  • VUPEN/ADV-2006-2520: MailEnable SMTP HELO Command Handling Remote Denial of Service Vulnerability

Reported:

Jun 24, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page