Australia's Leading Computer Emergency Response Team

Media release - Serious sendmail vulnerability
Date: 05 March 2003
Original URL: http://www.auscert.org.au/render.html?cid=1926&it=2825

AusCERT, Australia’s national CERT, today warned that it was likely automated attack tools will be developed to exploit a serious software bug found in the Sendmail program, which could pose a serious security threat to many medium to large networks on the Internet.

"Less than 24 hours after news of this vulnerability was made public, analysts have tested and made public reports about how to exploit the vulnerability to a limited degree", according to Robert Mead, AusCERT's coordination centre manager.

"At this rate it is likely a more sophisticated tool will be developed to allow less skilled attackers to attack vulnerable corporate and government networks, he said.

"AusCERT has received some as yet unconfirmed reports of attempts to exploit the vulnerability by networks in the region.

The bug is in the Sendmail program which is a widely used open source electronic mail application, available as freeware and vendor supported versions. Sendmail distributes email to and from network hosts and is available for both Unix and Windows platforms.

"Because Sendmail source code is open source, it is relatively easy for a determined and skilled attacker to compare the code before and after the patch is applied to identify the specific nature of the vulnerability.

Mead said that this vulnerability was more serious than most other software vulnerabilities which also allow attackers to gain remote privileged access to vulnerable network machines.

“This vulnerability is particularly interesting because it has the magic combination of impacting a service that is in wide spread business use, publicly accessible and deemed an essential service resulting in the ability to control aspects of the computer’s functionality,” he said.

“Once a Sendmail server is compromised, it may allow an attacker to execute commands potentially giving the attacker access to other parts of the network to the level permitted by the Sendmail server.

For an organisation to be protected from external remote attack they need to have a patched version of Sendmail at their network perimeter or ensure perimeter mail servers that are not vulnerable (e.g. other than Sendmail) will not pass harmful email messages. For an organisation to be properly protected they need to ensure all Sendmail servers in their network are patched, for some organisations this could mean patching more than 50 servers.

“If a hacker writes and releases a worm exploit, as occurred with other software vulnerabilities, such as Slapper and Slammer then it could result in rapid and mass compromises of networks.

"Unfortunately, there will always be a proportion of networks connected to the Internet which fail to patch. Potentially, this could cause problems for those who do patch by mass consumption of bandwidth of infected hosts looking for new vulnerable machines to infect."

AusCERT issued an advisory about the Sendmail vulnerability which is available on its web site with further details of what organisations can do to protect their systems.

AusCERT released its first warning at 3:47 am (AEST), Tuesday, 4 March soon after the public release of information about this vulnerability by ISS X-Force and CERT/CC in the USA, which occurred at about 1200 pm on Monday, 3 March (USA Eastern Standard Time - UTC-5 hours).

Media enquiries should be directed to Jan King, Office of Media Communications on 3365 1120.