copyright | disclaimer | privacy | contact

HOME   About AusCERT   Membership   Contact Us   PKI Services   Training   Publications   Sec. Bulletins   Conferences   News & Media   Services   Web Log   Site Map   Site Help   Member login Login »  Become a member »   Home » Security Bul... » Security Bul... » AusCERT Advi... » AA-2003.01 -- Sendmail Vulnerability   AA-2003.01 -- Sendmail Vulnerability Date: 04 March 2003 References: ESB-2003.0134  ESB-2003.0135  ESB-2003.0136  ESB-2003.0138  ESB-2003.0139  ESB-2003.0140  ESB-2003.0142  ESB-2003.0143  ESB-2003.0144  ESB-2003.0147   ESB-2003.0148  ESB-2003.0152  ESB-2003.0153  ESB-2003.0158  ESB-2003.0167  ESB-2003.0254  ESB-2003.0355  ESB-2003.0374  ESB-2003.0423  ESB-2003.0505  ESB-2003.0583   ESB-2003.0716   Click here for printable version -----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-2003.01 AUSCERT Advisory Sendmail Vulnerability 28 February 2003 Last Revised: -- - --------------------------------------------------------------------------- AusCERT has received information that a vulnerability exists in all versions of sendmail, an open source SMTP mail server. This vulnerability may allow remote users to gain root privileges. Exploit information involving this vulnerability may exist, but is currently not in the public domain. AusCERT recommends that sites take the steps outlined in section 3 as soon as possible. Updates to this advisory will be released as new information becomes available. - --------------------------------------------------------------------------- 1. Description Sendmail is an open source mail server program used for the routing and delivery of e-mail messages. It is estimated that 75% of the Internet's e-mail traffic is handled by sendmail based servers. A buffer overflow in the header parsing of an e-mail message has been discovered in the open source and commercial product lines of the sendmail SMTP mail server. All versions of sendmail prior to 8.12.8 on all platforms are vulnerable. A carefully designed e-mail message will allow an attacker to execute arbitrary code on the mail server with the privileges of the sendmail daemon, typically root. It is important to note that such a designed message may pass through non-sendmail based servers unaffected, and will exploit the first vulnerable sendmail server encountered. This may put a sendmail server which is internal to an organisation at risk, even if other mail server software is used at the network border. Successful exploitation of this vulnerability will not generate any log entries on the server. The Sendmail Consortium have released patches for sendmail versions 8.9, 8.10, 8.11, and 8.12. Sendmail based servers prior to 8.9 must first be upgraded in order for the patches to be applicable. 2. Impact This vulnerability may allow remote users to gain root privileges. Due to the nature of this vulnerability, firewalls and/or packet filters are not able to protect vulnerable mail servers. 3. Workarounds/Mitigation AusCERT recommends that sites prevent the exploitation of the vulnerability in sendmail by immediately upgrading to version 8.12.8 or applying the patches for 8.9.x, 8.10.x, 8.11.x, and 8.12.x Sendmail 8.12.8 and associated patches may be downloaded directly from the sendmail FTP server at: ftp.sendmail.org/pub/sendmail For instructions on applying the patches for specific versions of sendmail, please see: http://www.sendmail.org/patchcr.html While there is no known workaround to this vulnerability, you can help mitigate the impact until patches can be applied by setting the RunAsUser option in the sendmail configuration. This also promotes the best practice of running applications with the least privileges required whenever possible. Common protection mechanisms such as the use of non-executable stacks do not offer any protection from exploitation of this vulnerability. - --------------------------------------------------------------------------- AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AusCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AusCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. Postal: Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPmQhIyh9+71yA2DNAQE1fQP9HLpX0Q8/oQv/saYjg85rhAV+57FTdvfH 2/msEtRPe/o8mJRFcnxNOv/6cKhSt95w5Fs/gghcYXnmPBB86oDPMYAnI+Hg4n7I CTe1iC5wCbUJlwkc3pXcZ/j5HNS7DA5mH/ZBBs7iQnGBfXDm92ACItFHRnhv7rl7 SzH3EOvlpwg= =L0eS -----END PGP SIGNATURE-----

Comments? Click here http://www.auscert.org.au/render.html?cid=1978&it=2807