Date: 13 August 1998
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-98.04 AUSCERT Advisory
Sendmail, Inc. Patch for MIME Buffer Overflows
11 August 1998
Last Revised: -- 13 August 1998
- ---------------------------------------------------------------------------
Buffer overflow vulnerabilities in several email clients have recently
been made public. Sendmail, Inc. has produced a patch for version
8.9.1 of sendmail to assist sites in pro-actively defending against
these problems. This is not a sendmail vulnerability.
Sites using sendmail are encouraged to upgrade to version 8.9.1 if
possible and install this patch to add an extra layer of defence.
Sites who choose not to will not increase their security exposure in
this case. (Sites contemplating upgrading from versions prior to
8.9.n should be mindful that there may be other non-security issues
that will need to be addressed. Please consult the documentation for
version 8.9.1.)
- ---------------------------------------------------------------------------
1. Description
Recently the Oulu University Secure Programming Group reported
security vulnerabilities (specifically buffer overflows) in
several MIME compliant email clients. This work triggered
advisories from several response teams, and has lead to further
discussion in public mailing lists.
The vendors of sendmail, Sendmail Inc., have produced a patch for
version 8.9.1 of sendmail to further address this problem. The
patch is intended to allow sites using sendmail version 8.9.1
to offer a further layer of protection to their site to protect
mail clients against the problems that have been made public.
Specifically, the patch will truncate long MIME headers before
they arrive in end users' mailboxes based on the setting of a new
option.
The release of this patch should not be construed as an
indication that sendmail is vulnerable to the problems under
discussion. Sendmail Inc. has released the patch as a service
to their user base to assist system administrators in pro-actively
addressing the problem. Sites who choose not to install the
patch at this time will not increase their exposure to the
problem in this case.
2. Impact
This is a pro-active patch release. Sendmail version 8.9.1 is
itself believed to be unaffected by the problems under discussion.
3. Workarounds/Solution
Sites who do not use sendmail do not need to take any steps based
on this advisory.
Sites who do use sendmail only need to install the the patch
outlined in this advisory if they wish to add an extra layer of
defence against the buffer overflow problems discussed earlier.
Sites who choose not to install the patch to sendmail will not
increase their exposure in this case.
Sites using sendmail who wish to add an extra layer of protection
against the buffer overflow problems discussed recently should do
the following:
(a) Upgrade to sendmail version 8.9.1. Sites contemplating
upgrading from versions prior to 8.9.n should be mindful that
there may be other non-security issues that will need to be
addressed. Please consult the documentation for version 8.9.1.
(b) Download and apply the patch available from one of the
following blocks of URLs:
http://www.sendmail.com/sendmail.8.9.1a.html
http://www.sendmail.com/sendmail.8.9.1a.patch
http://www.sendmail.com/sendmail.8.9.1a.patch.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.1a.patch.README
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.1a.patch
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.1a.patch.sig
(c) Create a new site.config.m4 file in the BuildTools/Site directory
or append to an existing site.config.m4 file with the
following line:
APPENDDEF(`confENVDEF', `-D_FFR_MAX_MIME_HEADER_LENGTH=1')
The -D flag is necessary to tell sendmail to compile in the
new changes.
(d) Compile sendmail using the following command from inside the src
subtree:
./Build -c
The -c flag is necessary to tell sendmail to recompile the
binary from scratch using the new site.config.m4 file.
If you don't include this flag in the compilation, you will
not get the new feature.
(e) Include the following option in the sendmail configuration
file:
O MaxMimeHeaderLength=256
O MaxMimeHeaderLength=256/128
Note: Only include one of these lines - do not include both.
The numeric arguments may be varied by sites. The values
supplied are recommended values only.
The first argument (in this case 256) is the maximum header
length, and the second (128) is the maximum field length of a
parameter within the header (e.g. filename=foo is a parameter
of the Content-Disposition header). In the first form of the
option where no maximum field length is given, sendmail will
use half of the maximum header length. By default, these
values are 0 meaning no checks are done.
(f) Restart sendmail using the newly compiled code.
Note that the patch is specific to sendmail version 8.9.1 only.
If you are unable to upgrade to this version, do not attempt to
use the patch.
4. Further Information
Further information on the buffer overflow problems referred to in
this advisory may be found at the following URLs:
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.02.Outlook.buffer.overflow
http://www.cert.org/advisories/CA-98.10.mime_buffer_overflows.html
http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml
http://www.ciac.org/ciac/MIMEfaq.html
http://www.microsoft.com/ie/security/oelong.htm
http://www.netscape.com/products/security/resources/bugs/longfile.html
Sendmail is mirrored at the following URLs:
ftp://ftp.auscert.org.au/pub/mirrors/ftp.sendmail.org/sendmail/
ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/
- ---------------------------------------------------------------------------
AUSCERT thanks Eric Allman and Greg Shapiro of Sendmail, Inc., Marko
Laakso of the University of Oulu, the CERT Coordination Center, and
DFN-CERT for their assistance in the development of the patch and this
advisory.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
13-Aug-98: Added pointer to CERT MIME client advisory.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNdMZtCh9+71yA2DNAQESDQP6AxjFmOr0zNh6EajdV8g2l5lPawXAXVSB
OnJPeF44raZP62GBti5ImHuGidZg0FBeT1AdKIqzDePd/IJ6eZwUfmYYvnfrC0zu
N00Ej8bKWMt9pY/l1WDIi8meRU5DHMFLP0gm8G6/pphvRT5tOsOpXN2b53oqA2bc
XAvTjcwuGDI=
=XlG6
-----END PGP SIGNATURE-----
|