copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2006.0419 -- [Solaris] -- A Security Vulnerability in sendmail(1M) May Allow a Denial of Service (DoS) To Occur

Date: 23 August 2006
References: AL-2006.0048  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                        ESB-2006.0419 -- [Solaris]
        A Security Vulnerability in sendmail(1M) May Allow a Denial
                         of Service (DoS) To Occur
                              23 August 2006

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Sendmail
Publisher:            Sun Microsystems
Operating System:     Solaris 8, 9 and 10
Impact:               Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2006-1173

Ref:                  AL-2006.0048

Revision History:  August 23 2006: Updated Contributing Factors and
                                   Resolution sections
                   August 21 2006: Updated workaround section
                   August  4 2006: Sun released updates to Contributing
                                   Factors and Resolution sections
                   June   22 2006: Mitigation section updated
                   June   16 2006: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Sun(sm) Alert Notification
     * Sun Alert ID: 102460
     * Synopsis: A Security Vulnerability in sendmail(1M) Versions Prior
       to 8.13.7 May Allow a Denial of Service (DoS) To Occur
     * Category: Security
     * Product: Solaris 9 Operating System, Solaris 10 Operating System,
       Solaris 8 Operating System
     * BugIDs: 6424201
     * Avoidance: Workaround, Patch
     * State: Workaround
     * Date Released: 14-Jun-2006
     * Date Closed: 
     * Date Modified: 20-Jun-2006, 10-Jul-2006, 21-Jul-2006, 26-Jul-2006,
       02-Aug-2006, 16-Aug-2006, 21-Aug-2006

1. Impact

   On hosts where sendmail(1M) is configured to accept incoming mail, a
   local or remote unprivileged user may be able to prevent sendmail from
   successfully delivering queued messages, resulting in a Denial of
   Service (DoS) of the sendmail delivery mechanism.

   On hosts which do not accept remote incoming mail, but make use of
   sendmail(1M) to deliver messages to other hosts and users, a local
   unprivileged user may be able to prevent sendmail from delivering
   queued messages, again resulting in a Denial of Service (DoS) of the
   sendmail delivery mechanism.

   If either of the two issues above are exploited, an additional Denial
   of Service (DoS) to the system may occur if sendmail(1M) is configured
   to write unique core files to disk and to attempt to flush the
   delivery queue regularly. Each attempt to flush the delivery queue
   will result in a new core file being written to disk, eventually
   consuming all available space.

   This issue is referenced in the following documents:

   CVE-2006-1173 at
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173

   CERT VU#146718 at http://www.kb.cert.org/vuls/id/146718

2. Contributing Factors

   This issue can occur in the following releases:

   SPARC Platform
     * Solaris 8 without patch 110615-15
     * Solaris 9 without patch 113575-07
     * Solaris 10 without patch 122856-02

   x86 Platform
     * Solaris 8 without patch 110616-15
     * Solaris 9
     * Solaris 10 without patch 122857-03

   Notes:

   1. The current Solaris 8 sendmail patches (110615-14 for SPARC and
   110616-14 for x86) update sendmail to version 8.11.7p2+Sun. This
   version of sendmail is affected by this vulnerability.

   The Solaris 8 patches which will address this vulnerability will
   update sendmail to version 8.11.7p3+Sun. This is a minor change to
   this version of sendmail, however, these are the only patches which
   are required to address this vulnerability in Solaris 8.

   The Solaris 9 and 10 patches which address this issue will update
   sendmail directly to version 8.13.7+Sun.

   2. This issue only affects systems which have sendmail(1M) enabled, or
   which use sendmail to deliver messages.

   3. Sendmail versions prior to 8.13.7 are impacted by this issue.

   A) To determine if sendmail(1M) is running on the system and its
   version number, the mconnect(1) command can be used, as in the
   following example:
    $ /usr/bin/mconnect
    connecting to host localhost (127.0.0.1), port 25
    connection open
    220 an.example.com ESMTP Sendmail 8.13.5+Sun/8.13.5;
    Mon, 20 Mar 2006 17:07:57 GMT
    quit
    221 2.0.0 an.example.com closing connection

   If sendmail is not running on the system, the mconnect(1) command will
   report the following:
    $ /usr/bin/mconnect
    connecting to host localhost (127.0.0.1), port 25
    connect: Connection refused

   To determine if sendmail(1M) is configured for use in delivering
   messages, the presence of the `sendmail.cf' file can be checked, using
   a command such as the following:
    $ file /etc/mail/sendmail.cf
    /etc/mail/sendmail.cf:  English text

   To determine if there are currently messages in sendmail's queue which
   may be affected by this issue, the following commands can be used with
   the default sendmail(1M) configuration (the second command is
   available on Solaris 9 and later only):
    # mailq
    /var/spool/mqueue is empty
    Total requests: 0

    # mailq -Ac
    /var/spool/clientmqueue is empty
    Total requests: 0

   B) To determine if the system is vulnerable to the additional issue of
   disk space consumption, check whether sendmail(1M) is configured to
   create unique core dumps using the coreadm(1M) command to check the
   global and per-process core dump settings which affect the sendmail
   processes:
    $ coreadm | grep global
    global core file pattern: /var/cores/core.%f.%p
    global core file content: default
    global core dumps: enabled
    global setid core dumps: disabled
    global core dump logging: disabled

    # coreadm `pgrep sendmail`
    109584:  core.%f.%p      default

       109586: core default

3. Symptoms

   If this issue has been exploited to cause a Denial of Service(DoS),
   some messages may remain in the delivery queue indefinitely, and will
   not be delivered to their destinations. Note that if this issue
   occurs, sendmail will continue to receive messages from remote hosts
   and will successfully deliver messages which are not deferred into the
   delivery queue.

   If sendmail is configured to save unique core dumps, these will be
   stored at a path that depends on the configuration set with
   coreadm(1M) and will occupy an increasing share of the disk space. 

4. Relief/Workaround

   To prevent the disruption of the sendmail(1M) delivery mechanism, the
   'ForkEachJob' option can be set, causing sendmail to deliver each
   message in its own process, preventing any one message from disrupting
   the delivery of other messages. However, this may have an impact on
   the performance of the delivery process.

   This option can be set by adding the following line to the *.mc files
   used to generate the "/etc/mail/sendmail.cf" and "/etc/mail/submit.cf"
   (if present) files:
    define(`confSEPARATE_PROC',`true')dnl

   The *.mc files are located in "/usr/lib/mail/cf" for Solaris 8 and 9,
   and "/etc/mail/cf/cf" for Solaris 10.

   Generate the new *.cf files from these revised *.mc files and copy to
   "/etc/mail/sendmail.cf" and "/etc/mail/submit.cf" as required. Please
   refer to "/usr/lib/mail/README" for additional information on how to
   use the *.mc files.

   Restart sendmail once the modifications have been performed, as
   follows:

   Solaris 10:
    # svcadm restart sendmail

   Solaris 8, 9:
    # /etc/init.d/sendmail stop
    # /etc/init.d/sendmail start

   To prevent sendmail(1M) from filling up the disk, it can be configured
   using the coreadm(1M) command to write statically named core files.
   This should be applied to both the global core file pattern (if
   enabled) and the per-process core file pattern.

   For example, to disable global core files:
    # coreadm -d global

   and to make sendmail core dump filenames static until the sendmail
   service is restarted:
    # coreadm -p core.%f $(pgrep sendmail)

   A preliminary T-Patch is available for the following release from
   http://sunsolve.sun.com/tpatches:

   x86 Platform
     * Solaris 9 T-patch T114137-06

   This document refers to one or more preliminary temporary patches
   (T-Patches) which are designed to address the concerns identified
   herein. Sun has limited experience with these patches due to their
   preliminary nature. As such, you should only install the patches on
   systems meeting the configurations described above. Sun may release
   full patches at a later date, however, Sun is under no obligation
   whatsoever to create, release, or distribute any such patch.

5. Resolution

   This issue is addressed in the following releases:

   SPARC Platform
     * Solaris 8 with patch 110615-15 or later
     * Solaris 9 with patch 113575-07 or later
     * Solaris 10 with patch 122856-02 or later

   x86 Platform
     * Solaris 8 with patch 110616-15 or later
     * Solaris 10 with patch 122857-03 or later

   A final resolution is pending completion.

Change History

   20-Jun-2006:
     * Updated Relief/Workaround section

   10-Jul-2006:
     * Updated Relief/Workaround section

   21-Jul-2006:
     * Updated Contributing Factors and Resolution sections

   26-Jul-2006:
     * Updated Contributing Factors and Relief/Workaround sections

   02-Aug-2006:
     * Updated Contributing Factors and Resolution sections

   16-Aug-2006:
     * Updated Relief/Workaround section

   21-Aug-2006:
     * Updated Contributing Factors and Resolution sections

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBROvSyih9+71yA2DNAQJ7KQP+OMzFqGIdWZCX0bFbaufMKbXLzeLF2ivz
lBDsGoFQGeI/sl4kEG78IiSNYac+h2QpfLNq/rfDNrhjy5jguEzFef2OH9pUmcKU
bPsBYQYMSa4EyXYJY/OTdeatA+x+MH3ULdYc0Brrjo4UpX05tuE9PgWr7NCBUchp
clkkboDo7M4=
=HkxP
-----END PGP SIGNATURE-----