MailEnable SMTP HELO denial of service

mailenable-smtp-helo-dos (27387) The risk level is classified as MediumMedium Risk

Description:

MailEnable Enterprise, Professional and Standard editions are vulnerable to a denial of service attack, caused by an unspecified error in the SMTP service. A remote attacker could exploit this vulnerability by sending a specially-crafted HELO command to cause the SMTP service to crash.


Consequences:

Denial of Service

Remedy:

Apply Hotfix ME-10013, available from the MailEnable Web site. See References.

References:

  • Full-Disclosure Mailing List, Wed Jun 28 2006 - 01:37:20 CDT: Mailenable SMTP Service DoS.
  • MailEnable Web site: MailEnable - Hotfix Download Page.
  • BID-18630: MailEnable SMTP HELO Command Remote Denial of Service Vulnerability
  • CVE-2006-3277: The SMTP service of MailEnable Standard 1.92 and earlier, Professional 2.0 and earlier, and Enterprise 2.0 and earlier before the MESMTPC hotfix, allows remote attackers to cause a denial of service (application crash) via a HELO command with a null byte in the argument, possibly triggering a length inconsistency or a missing argument.
  • OSVDB ID: 26791: MailEnable SMTP Service HELO Command Remote DoS
  • SA20790: MailEnable SMTP Service HELO Denial of Service
  • SECTRACK ID: 1016376: MailEnable HELO Command Lets Remote Users Deny Service
  • VUPEN/ADV-2006-2520: MailEnable SMTP HELO Command Handling Remote Denial of Service Vulnerability

Platforms Affected:

  • MailEnable MailEnable Standard
  • MailEnable MailEnable Professional
  • MailEnable MailEnable Enterprise
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2003 Server Web
  • Microsoft Windows 2003 Server Standard
  • Microsoft Windows 2003 Server Enterprise
  • Microsoft Windows NT 4.0 Server

Reported:

Jun 24, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page