CVE-2019-12420
📋 TL;DR
CVE-2019-12420 is a resource exhaustion vulnerability in Apache SpamAssassin that allows attackers to craft malicious email messages causing excessive CPU and memory consumption. This affects all systems running Apache SpamAssassin before version 3.4.3, potentially leading to denial of service conditions.
💻 Affected Systems
- Apache SpamAssassin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service where the SpamAssassin service becomes unresponsive, causing email processing to halt and potentially affecting dependent systems.
Likely Case
Degraded performance with increased resource consumption leading to slower email processing and potential service instability.
If Mitigated
Minimal impact with proper resource limits and monitoring in place, though some performance degradation may still occur.
🎯 Exploit Status
Exploitation requires sending a specially crafted email message. No public exploit details were released to prevent widespread abuse.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.3
Vendor Advisory: https://lists.apache.org/thread.html/5863d6c42fc9595a29566732f12348cde0ca0e41bda91695c62041de%40%3Cannounce.apache.org%3E
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Stop SpamAssassin service. 3. Upgrade to version 3.4.3 or later using your package manager or from source. 4. Restart SpamAssassin service. 5. Verify the new version is running.
🔧 Temporary Workarounds
Resource Limiting
linuxImplement resource limits on SpamAssassin processes to prevent complete system exhaustion
ulimit -v 1000000
systemctl set-property spamassassin.service MemoryLimit=1G CPUQuota=50%
Rate Limiting
linuxImplement rate limiting on incoming email to reduce attack surface
postconf -e 'smtpd_client_connection_rate_limit = 10'
postconf -e 'anvil_rate_time_unit = 60s'
🧯 If You Can't Patch
- Implement strict resource limits on SpamAssassin processes to prevent complete system exhaustion
- Deploy network-level rate limiting and filtering for incoming email to reduce exposure
🔍 How to Verify
Check if Vulnerable:
Check SpamAssassin version: spamassassin -V | grep 'SpamAssassin version'Check Version:
spamassassin -V | grep 'SpamAssassin version'Verify Fix Applied:
Verify version is 3.4.3 or later: spamassassin -V | grep 'SpamAssassin version 3.4.3'📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU/memory usage in system logs
- SpamAssassin process crashes or restarts
- Increased processing time for email messages
Network Indicators:
- Sudden increase in email traffic to SpamAssassin servers
- Unusual patterns in email message sizes or headers
SIEM Query:
source="spamassassin.log" ("high memory" OR "excessive cpu" OR "process killed" OR "out of memory")🔗 References
- http://www.openwall.com/lists/oss-security/2019/12/12/2
- https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7747
- https://lists.apache.org/thread.html/5863d6c42fc9595a29566732f12348cde0ca0e41bda91695c62041de%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/5ef362d6da12126fafc81443309ca95d872d1bfd011fe4b2699f0fe9%40%3Cusers.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/64cf76749956dd08f7d5b86ec9f3321f382cfd7fe717ccd1be940c92%40%3Cannounce.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/e3c2367351286b77a74a082e2b66b793cceefa7b6ea9dcd162db4c4b%40%3Cdev.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/r2578c486552637bfedbe624940cc60d6463bd90044c887bdebb75e74%40%3Cusers.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/r3d32ebf97b1245b8237763444e911c4595d2ad5e34a1641840d8146f%40%3Cusers.spamassassin.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/12/msg00019.html
- https://seclists.org/bugtraq/2019/Dec/27
- https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
- https://usn.ubuntu.com/4237-1/
- https://usn.ubuntu.com/4237-2/
- https://www.debian.org/security/2019/dsa-4584
- http://www.openwall.com/lists/oss-security/2019/12/12/2
- https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7747
- https://lists.apache.org/thread.html/5863d6c42fc9595a29566732f12348cde0ca0e41bda91695c62041de%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/5ef362d6da12126fafc81443309ca95d872d1bfd011fe4b2699f0fe9%40%3Cusers.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/64cf76749956dd08f7d5b86ec9f3321f382cfd7fe717ccd1be940c92%40%3Cannounce.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/e3c2367351286b77a74a082e2b66b793cceefa7b6ea9dcd162db4c4b%40%3Cdev.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/r2578c486552637bfedbe624940cc60d6463bd90044c887bdebb75e74%40%3Cusers.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/r3d32ebf97b1245b8237763444e911c4595d2ad5e34a1641840d8146f%40%3Cusers.spamassassin.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/12/msg00019.html
- https://seclists.org/bugtraq/2019/Dec/27
- https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
- https://usn.ubuntu.com/4237-1/
- https://usn.ubuntu.com/4237-2/
- https://www.debian.org/security/2019/dsa-4584
