FreeBSD : spamdyke -- open relay (555ac165-2bee-11dd-bbdc-00e0815b8da8)

This script is Copyright (C) 2008-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Spamdyke Team reports :

Fixed smtp_filter() to reject the DATA command if no valid recipients
have been specified. Otherwise, a specific scenario could result in
every spamdyke installation being used as an open relay. If the remote
server connects and gives one or more recipients that are rejected
(for relaying or blacklisting), then gives the DATA command, spamdyke
will ignore all other commands, assuming that message data is being
transmitted. However, because all of the recipients were rejected,
qmail will reject the DATA command. From that point on, the remote
server can give as many recipients as it likes and spamdyke will
ignore them all -- they will not be filtered at all. After that, the
remote server can give the DATA command and send the actual message
data. Because spamdyke is controlling relaying, the RELAYCLIENT
environment variable is set and qmail won't check for relaying either.
Thanks to Mirko Buffoni for reporting this one.

See also :

http://www.spamdyke.org/documentation/Changelog.txt
http://www.nessus.org/u?5f9b0915

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 32449 (freebsd_pkg_555ac1652bee11ddbbdc00e0815b8da8.nasl)

Bugtraq ID:

CVE ID: CVE-2008-2784

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now