Date: 04 March 2003
References: ESB-2003.0134 ESB-2003.0135 ESB-2003.0136 ESB-2003.0138 ESB-2003.0139 ESB-2003.0140 ESB-2003.0142 ESB-2003.0143 ESB-2003.0144 ESB-2003.0147
ESB-2003.0148 ESB-2003.0152 ESB-2003.0153 ESB-2003.0158 ESB-2003.0167 ESB-2003.0254 ESB-2003.0355 ESB-2003.0374 ESB-2003.0423 ESB-2003.0505 ESB-2003.0583
ESB-2003.0716
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2003.01 AUSCERT Advisory
Sendmail Vulnerability
28 February 2003
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has received information that a vulnerability exists in all
versions of sendmail, an open source SMTP mail server.
This vulnerability may allow remote users to gain root privileges.
Exploit information involving this vulnerability may exist, but is
currently not in the public domain.
AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
Updates to this advisory will be released as new information becomes
available.
- ---------------------------------------------------------------------------
1. Description
Sendmail is an open source mail server program used for the routing
and delivery of e-mail messages. It is estimated that 75% of the
Internet's e-mail traffic is handled by sendmail based servers.
A buffer overflow in the header parsing of an e-mail message has been
discovered in the open source and commercial product lines of the
sendmail SMTP mail server. All versions of sendmail prior to 8.12.8
on all platforms are vulnerable.
A carefully designed e-mail message will allow an attacker to execute
arbitrary code on the mail server with the privileges of the sendmail
daemon, typically root.
It is important to note that such a designed message may pass through
non-sendmail based servers unaffected, and will exploit the first
vulnerable sendmail server encountered. This may put a sendmail server
which is internal to an organisation at risk, even if other mail server
software is used at the network border.
Successful exploitation of this vulnerability will not generate any
log entries on the server.
The Sendmail Consortium have released patches for sendmail versions
8.9, 8.10, 8.11, and 8.12. Sendmail based servers prior to 8.9
must first be upgraded in order for the patches to be applicable.
2. Impact
This vulnerability may allow remote users to gain root privileges.
Due to the nature of this vulnerability, firewalls and/or packet
filters are not able to protect vulnerable mail servers.
3. Workarounds/Mitigation
AusCERT recommends that sites prevent the exploitation of the
vulnerability in sendmail by immediately upgrading to version 8.12.8
or applying the patches for 8.9.x, 8.10.x, 8.11.x, and 8.12.x
Sendmail 8.12.8 and associated patches may be downloaded directly from
the sendmail FTP server at:
ftp.sendmail.org/pub/sendmail
For instructions on applying the patches for specific versions of
sendmail, please see:
http://www.sendmail.org/patchcr.html
While there is no known workaround to this vulnerability, you can help
mitigate the impact until patches can be applied by setting the
RunAsUser option in the sendmail configuration. This also promotes the
best practice of running applications with the least privileges
required whenever possible.
Common protection mechanisms such as the use of non-executable stacks
do not offer any protection from exploitation of this vulnerability.
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPmQhIyh9+71yA2DNAQE1fQP9HLpX0Q8/oQv/saYjg85rhAV+57FTdvfH
2/msEtRPe/o8mJRFcnxNOv/6cKhSt95w5Fs/gghcYXnmPBB86oDPMYAnI+Hg4n7I
CTe1iC5wCbUJlwkc3pXcZ/j5HNS7DA5mH/ZBBs7iQnGBfXDm92ACItFHRnhv7rl7
SzH3EOvlpwg=
=L0eS
-----END PGP SIGNATURE-----
|