Rapid7 Vulnerability & Exploit Database

RHSA-2011:0423: postfix security update

Back to Search

RHSA-2011:0423: postfix security update

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
03/16/2011
Created
07/25/2018
Added
04/14/2011
Modified
07/04/2017

Description

Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),and TLS.It was discovered that Postfix did not flush the received SMTP commandsbuffer after switching to TLS encryption for an SMTP session. Aman-in-the-middle attacker could use this flaw to inject SMTP commands intoa victim's session during the plain text phase. This would lead to thosecommands being processed by Postfix after TLS encryption is enabled,possibly allowing the attacker to steal the victim's mail or authenticationcredentials. (CVE-2011-0411)Red Hat would like to thank the CERT/CC for reporting CVE-2011-0411. TheCERT/CC acknowledges Wietse Venema as the original reporter.Users of Postfix are advised to upgrade to these updated packages, whichcontain a backported patch to resolve this issue. After installing thisupdate, the postfix service will be restarted automatically.

Solution(s)

  • redhat-upgrade-postfix
  • redhat-upgrade-postfix-debuginfo
  • redhat-upgrade-postfix-perl-scripts

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;