|
Brought to you by:
Suppliers of:
|
|
|
| |
Sendmail is a heavily used Mail Transfer Agent (MTA) and is assumed to be handling about 50% to 75% of all Internet mail traffic.
A vulnerability found in this product allows a remote user to gain complete control of the attacked system, without requiring prior knowledge of attacked system's configuration or being actively connected to it.
Even systems protected by firewall/packet filtering are not immune, as the attack is performed by sending a mail message. |
| |
Credit:
For more information, see:
ISS Advisory
Sendmail Security Alert
see also:
CVE List Candidate
and:
Sendmail Press Release
CERT Advisory
Information was provided by ISS X-force.
|
| |
Vulnerable versions:
*Sendmail Versions 5.1 to 8.12.7
*Sendmail Switch Versions 2.2.x prior to 2.2.5 and 3.0.x prior to 3.0.3
*Sendmail Advanced Message Server(which includes the Sendmail Switch MTA)
*Sendmail for NT 2.6.x prior to 2.6.2 or 3.x prior to 3.0.3
*Sendmail Switch for HP-UX Versions 2.1.x prior to 2.1.5
*Sendmail Pro
*Any program using the open source code of Sendmail.
For a complete list of vulnerable systems, see:
http://www.kb.cert.org/vuls/id/398025#systems
Immune Versions:
*Sendmail Versions 8.12.8 and above.
*Sendmail Switch Versions 2.2.5 or 3.0.3 and above
*Sendmail for NT Versions 2.6.2 or 3.0.3 and above
*Sendmail for HP-UX Vesions 2.1.5 and above
Almost every organization uses some Mail Transfer Agents to send and receive mail across the net, with Sendmail being the most prominent of these MTAs, and also a feature usually installed and enabled by default in almost every Unix and Linux system, this proves to be a very serious threat.
The attack is performed by an email message and occurs when the Sendmail server tries to parse the SMTP header of an incoming mail message.
The server will try to parse addresses and see if these are valid addresses using the crackaddr() function, which is located in the headers.c file (a part of Sendmail's source code).
The server uses a buffer to record all values and uses various security checks to ensure that all characters are legal.
If the buffer is filled to a certain level the program stops sending it more characters.
One of the security checks, however, is vulnerable and allows a buffer overflow.
Disabling stack execution will not prevent this attack
Notes:
In case of an unsuccessful attack on an immune system the following message will be seen:
Dropped invalid comments from header address
Solution:
Download latest version of sendmail: http://www.sendmail.org/8.12.8.html
Download a patch: For 8.* Versions
For commercial versions see: Patch Page
|
|
|
|
|
