[TriLUG] Dang! Another Sendmail vulnerability

Jon Carnes jonc at nc.rr.com
Sat Mar 29 18:40:30 EST 2003


Time to upgrade *again* (or move to Postfix).

Jon

----- Original Message ----- 
From: "CERT Advisory" <cert-advisory at cert.org>
To: <cert-advisory at cert.org>
Sent: Saturday, March 29, 2003 2:57 PM
Subject: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail


> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> CERT Advisory CA-2003-12 Buffer Overflow in Sendmail
> 
>    Original release date: March 29, 2003
>    Last revised:
>    Source: CERT/CC
> 
>    A complete revision history can be found at the end of this file.
> 
> Systems Affected
> 
>      * Sendmail Pro (all versions)
>      * Sendmail Switch 2.1 prior to 2.1.6
>      * Sendmail Switch 2.2 prior to 2.2.6
>      * Sendmail Switch 3.0 prior to 3.0.4
>      * Sendmail for NT 2.X prior to 2.6.3
>      * Sendmail for NT 3.0 prior to 3.0.4
>      * Systems  running  open-source  sendmail  versions prior to 8.12.9,
>        including UNIX and Linux systems
> 
> Overview
> 
>    There  is a vulnerability in sendmail that can be exploited to cause a
>    denial-of-service  condition  and  could  allow  a  remote attacker to
>    execute  arbitrary  code  with  the privileges of the sendmail daemon,
>    typically root.
> 
> I. Description
> 
>    There  is  a remotely exploitable vulnerability in sendmail that could
>    allow  an  attacker  to  gain control of a vulnerable sendmail server.
>    Address  parsing code in sendmail does not adequately check the length
>    of  email addresses. An email message with a specially crafted address
>    could  trigger  a stack overflow. This vulnerability was discovered by
>    Michal Zalewski.
> 
>    This vulnerability is different than the one described in CA-2003-07.
> 
>    Most  organizations  have  a variety of mail transfer agents (MTAs) at
>    various  locations  within their network, with at least one exposed to
>    the   Internet.   Since   sendmail  is  the  most  popular  MTA,  most
>    medium-sized  to  large  organizations are likely to have at least one
>    vulnerable   sendmail   server.  In  addition,  many  UNIX  and  Linux
>    workstations  provide  a  sendmail  implementation that is enabled and
>    running by default.
> 
>    This    vulnerability    is    message-oriented    as    opposed    to
>    connection-oriented. That means that the vulnerability is triggered by
>    the  contents  of  a  specially-crafted  email  message rather than by
>    lower-level  network  traffic.  This  is important because an MTA that
>    does  not  contain  the  vulnerability will pass the malicious message
>    along  to  other  MTAs  that may be protected at the network level. In
>    other  words, vulnerable sendmail servers on the interior of a network
>    are  still  at risk, even if the site's border MTA uses software other
>    than sendmail. Also, messages capable of exploiting this vulnerability
>    may pass undetected through many common packet filters or firewalls.
> 
>    This   vulnerability  has  been  successfully  exploited  to  cause  a
>    denial-of-service   condition  in  a  laboratory  environment.  It  is
>    possible that this vulnerability could be used to execute code on some
>    vulnerable systems.
> 
>    The CERT/CC is tracking this issue as VU#897604. This reference number
>    corresponds to CVE candidate CAN-2003-0161.
> 
>    For more information, please see
> 
>           http://www.sendmail.org
>           http://www.sendmail.org/8.12.9.html
>           http://www.sendmail.com/security/
> 
>    For  the  latest  information  about this vulnerability, including the
>    most recent vendor information, please see
> 
>           http://www.kb.cert.org/vuls/id/897604
> 
>    This vulnerability is distinct from VU#398025.
> 
> II. Impact
> 
>    Successful   exploitation   of   this   vulnerability   may   cause  a
>    denial-of-service   condition   or  allow  an  attacker  to  gain  the
>    privileges  of  the  sendmail  daemon, typically root. Even vulnerable
>    sendmail  servers  on  the  interior of a given network may be at risk
>    since  the  vulnerability  is triggered by the contents of a malicious
>    email message.
> 
> III. Solution
> 
> Apply a patch from Sendmail, Inc.
> 
>    Sendmail  has produced patches for versions 8.9, 8.10, 8.11, and 8.12.
>    However,  the  vulnerability  also  exists  in earlier versions of the
>    code;  therefore,  site  administrators  using  an earlier version are
>    encouraged  to upgrade to 8.12.9. These patches, and a signature file,
>    are located at
> 
>           ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu
>           ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu.asc
> 
> Apply a patch from your vendor
> 
>    Many  vendors  include  vulnerable  sendmail  servers as part of their
>    software distributions. We have notified vendors of this vulnerability
>    and  recorded  the  statements  they  provided  in  Appendix A of this
>    advisory.  The  most  recent  vendor  information  can be found in the
>    systems affected section of VU#897604.
> 
> Enable the RunAsUser option
> 
>    There is no known workaround for this vulnerability. Until a patch can
>    be  applied,  you  may  wish to set the RunAsUser option to reduce the
>    impact  of this vulnerability. As a good general practice, the CERT/CC
>    recommends  limiting  the  privileges  of  an  application  or service
>    whenever possible.
> 
> Appendix A. - Vendor Information
> 
>    This  appendix  contains  information  provided  by  vendors  for this
>    advisory.  As  vendors  report new information to the CERT/CC, we will
>    update this section and note the changes in our revision history. If a
>    particular  vendor  is  not  listed  below, we have not received their
>    comments.
> 
> Red Hat Inc.
> 
>    Red  Hat  distributes  sendmail in all Red Hat Linux distributions. We
>    are  currently [Mar29] working on producing errata packages to correct
>    this  issue,  when  complete  these  will  be available along with our
>    advisory  at  the  URL  below.  At  the same time users of the Red Hat
>    Network will be able to update their systems using the 'up2date' tool.
> 
>    Red Hat Linux:
> 
>           http://rhn.redhat.com/errata/RHSA-2003-120.html
> 
>    Red Hat Enterprise Linux:
> 
>           http://rhn.redhat.com/errata/RHSA-2003-121.html
> 
> The Sendmail Consortium
> 
>    The  Sendmail  Consortium  recommends  that  sites  upgrade  to 8.12.9
>    whenever possible. Alternatively, patches are available for 8.9, 8.10,
>    8.11, and 8.12 on http://www.sendmail.org/.
> 
> Sendmail, Inc.
> 
>    All  commercial  releases including Sendmail Switch, Sendmail Advanced
>    Message  Server (which includes the Sendmail Switch MTA), Sendmail for
>    NT,  and Sendmail Pro are affected by this issue. Patch information is
>    available at http://www.sendmail.com/security/.
>      _________________________________________________________________
> 
>    Our  thanks  to  Eric  Allman,  Claus  Assmann, Greg Shapiro, and Dave
>    Anderson  of  Sendmail  for  reporting  this  problem  and  for  their
>    assistance in coordinating the response to this problem. We also thank
>    Michal Zalewski for discovering this vulnerability.
>      _________________________________________________________________
> 
>    Authors: Art Manion and Shawn V. Hernan
>    ______________________________________________________________________
> 
>    This document is available from:
>    http://www.cert.org/advisories/CA-2003-12.html
>    ______________________________________________________________________
> 
> CERT/CC Contact Information
> 
>    Email: cert at cert.org
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
> 
>    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
>    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
>    during other hours, on U.S. holidays, and on weekends.
> 
> Using encryption
> 
>    We  strongly  urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
>    http://www.cert.org/CERT_PGP.key
> 
>    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
>    information.
> 
> Getting security information
> 
>    CERT  publications  and  other security information are available from
>    our web site
>    http://www.cert.org/
> 
>    To  subscribe  to  the CERT mailing list for advisories and bulletins,
>    send  email  to majordomo at cert.org. Please include in the body of your
>    message
> 
>    subscribe cert-advisory
> 
>    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
> 
>    NO WARRANTY
>    Any  material furnished by Carnegie Mellon University and the Software
>    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied  as  to  any matter including, but not limited to, warranty of
>    fitness  for  a  particular purpose or merchantability, exclusivity or
>    results  obtained from use of the material. Carnegie Mellon University
>    does  not  make  any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>      _________________________________________________________________
> 
>    Conditions for use, disclaimers, and sponsorship information
> 
>    Copyright 2003 Carnegie Mellon University.
>    Revision History
> 
>    March 29,2003: Initial release
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> 
> iQCVAwUBPoX5XGjtSoHZUTs5AQHvjgQAqTy3GQnszPHtUnUBX7VDM4NKSesFHHvC
> 2JmDAMPYmCO2b32xvWDmMcWdPhOBmJLB2o6zv7mRWX1K0B1GN5TBErIii6dxTaDD
> OAUNjirMGdTr+WnxIjdk0gj57JbOU6ZdHHcAijG5SE/dZq4sMrOCGEAMJTVNDzYp
> BtHbFwDeLEY=
> =dgBI
> -----END PGP SIGNATURE-----



More information about the TriLUG mailing list