CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail
Luca Giuzzi
giuzzi a lugbs.linux.it
Lun 3 Mar 2003 20:23:46 UTC
Un warning urgente da meditare...
ciao,
lg
On Mon, Mar 03, 2003 at 01:06:00PM -0500, CERT Advisory wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail
>
> Original release date: March 3, 2003
> Last revised: --
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
> Systems Affected
>
> * Sendmail Pro (all versions)
> * Sendmail Switch 2.1 prior to 2.1.5
> * Sendmail Switch 2.2 prior to 2.2.5
> * Sendmail Switch 3.0 prior to 3.0.3
> * Sendmail for NT 2.X prior to 2.6.2
> * Sendmail for NT 3.0 prior to 3.0.3
> * Systems running open-source sendmail versions prior to 8.12.8,
> including UNIX and Linux systems
>
> Overview
>
> There is a vulnerability in sendmail that may allow remote attackers
> to gain the privileges of the sendmail daemon, typically root.
>
> I. Description
>
> Researchers at Internet Security Systems (ISS) have discovered a
> remotely exploitable vulnerability in sendmail. This vulnerability
> could allow an intruder to gain control of a vulnerable sendmail
> server.
>
> Most organizations have a variety of mail transfer agents (MTAs) at
> various locations within their network, with at least one exposed to
> the Internet. Since sendmail is the most popular MTA, most
> medium-sized to large organizations are likely to have at least one
> vulnerable sendmail server. In addition, many UNIX and Linux
> workstations provide a sendmail implementation that is enabled and
> running by default.
>
> This vulnerability is message-oriented as opposed to
> connection-oriented. That means that the vulnerability is triggered by
> the contents of a specially-crafted email message rather than by
> lower-level network traffic. This is important because an MTA that
> does not contain the vulnerability will pass the malicious message
> along to other MTAs that may be protected at the network level. In
> other words, vulnerable sendmail servers on the interior of a network
> are still at risk, even if the site's border MTA uses software other
> than sendmail. Also, messages capable of exploiting this vulnerability
> may pass undetected through many common packet filters or firewalls.
>
> Sendmail has indicated to the CERT/CC that this vulnerability has been
> successfully exploited in a laboratory environment. We do not believe
> that this exploit is available to the public. However, this
> vulnerability is likely to draw significant attention from the
> intruder community, so the probability of a public exploit is high.
>
> A successful attack against an unpatched sendmail system will not
> leave any messages in the system log. However, on a patched system, an
> attempt to exploit this vulnerability will leave the following log
> message:
>
> Dropped invalid comments from header address
>
> Although this does not represent conclusive evidence of an attack, it
> may be useful as an indicator.
>
> A patched sendmail server will drop invalid headers, thus preventing
> downstream servers from receiving them.
>
> The CERT/CC is tracking this issue as VU#398025. This reference number
> corresponds to CVE candidate CAN-2002-1337.
>
> For more information, please see
>
> http://www.sendmail.org
> http://www.sendmail.org/8.12.8.html
> http://www.sendmail.com/security/
> http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
> http://www.kb.cert.org/vuls/id/398025
>
> II. Impact
>
> Successful exploitation of this vulnerability may allow an attacker to
> gain the privileges of the sendmail daemon, typically root. Even
> vulnerable sendmail servers on the interior of a given network may be
> at risk since the vulnerability is triggered from the contents of a
> malicious email message.
>
> III. Solution
>
> Apply a patch from Sendmail
>
> Sendmail has produced patches for versions 8.9, 8.10, 8.11, and 8.12.
> However, the vulnerability also exists in earlier versions of the
> code; therefore, site administrators using an earlier version are
> encouraged to upgrade to 8.12.8. These patches are located at
>
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.security.cr.patch
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.security.cr.patch
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch
>
> Apply a patch from your vendor
>
> Many vendors include vulnerable sendmail servers as part of their
> software distributions. We have notified vendors of this vulnerability
> and recorded their responses in the systems affected section of
> VU#398025. Several vendors have provided a statement for direct
> inclusion in this advisory; these statements are available in Appendix
> A.
>
> Enable the RunAsUser option
>
> There is no known workaround for this vulnerability. Until a patch can
> be applied, you may wish to set the RunAsUser option to reduce the
> impact of this vulnerability. As a good general practice, the CERT/CC
> recommends limiting the privileges of an application or service
> whenever possible.
>
> Appendix A. - Vendor Information
>
> This appendix contains information provided by vendors for this
> advisory. As vendors report new information to the CERT/CC, we will
> update this section and note the changes in our revision history. If a
> particular vendor is not listed below, we have not received their
> comments.
>
> Apple Computer, Inc.
>
> Security Update 2003-03-03 is available to fix this issue. Packages
> are available for Mac OS X 10.1.5 and Mac OS X 10.2.4. It should be
> noted that sendmail is not enabled by default on Mac OS X, so only
> those systems which have explicitly enabled it are susceptible to the
> vulnerability. All customers of Mac OS X, however, are encouraged to
> apply this update to their systems.
>
> Avaya, Inc.
>
> Avaya is aware of the vulnerability and is investigating impact. As
> new information is available this statement will be updated.
>
> BSD/OS
>
> Wind River Systems has created patches for this problem which are
> available from the normal locations for each release. The relevant
> patches are M500-006 for BSD/OS version 5.0 or the Wind River Platform
> for Server Appliances 1.0, M431-002 for BSD/OS 4.3.1, or M420-032 for
> BSD/OS 4.2 systems.
>
> Cisco Systems
>
> Cisco is investigating this issue. If we determine any of our products
> are vulnerable that information will be available at:
> http://www.cisco.com/go/psirt
>
> Cray Inc.
>
> The code supplied by Cray, Inc. in Unicos, Unicos/mk, and Unicos/mp
> may be vulnerable. Cray has opened SPRs 724749 and 724750 to
> investigate.
>
> Cray, Inc. is not vulnerable for the MTA systems.
>
> Hewlett-Packard Company
>
> SOURCE:
> Hewlett-Packard Company
> HP Services
> Software Security Response Team
>
> x-ref: SSRT3469 sendmail
>
> HP will provide notice of the availability of patches through standard
> security bulletin announcements and be available from your normal HP
> Services support channel.
>
> IBM Corporation
>
> The AIX operating system is vulnerable to the sendmail issues
> discussed in releases 4.3.3, 5.1.0 and 5.2.0.
>
> A temporary patch is available through an efix package which can be
> found at
> ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z
>
> IBM will provide the following official fixes:
>
> APAR number for AIX 4.3.3: IY40500 (available approx.
> 03/12/2003)
> APAR number for AIX 5.1.0: IY40501 (available approx.
> 04/28/2003)
> APAR number for AIX 5.2.0: IY40502 (available approx.
> 04/28/2003)
>
> Openwall GNU/*/Linux
>
> Openwall GNU/*/Linux is not vulnerable. We use Postfix as the MTA, not
> sendmail.
>
> Red Hat Inc.
>
> Updated sendmail packages that are not vulnerable to this issue are
> available for Red Hat Linux, Red Hat Advanced Server, and Red Hat
> Advanced Workstation. Red Hat Network users can update their systems
> using the 'up2date' tool.
>
> Red Hat Linux:
>
> http://rhn.redhat.com/errata/RHSA-2003-073.html
>
> Red Hat Linux Advanced Server, Advanced Workstation:
>
> http://rhn.redhat.com/errata/RHSA-2003-074.html
>
> SGI
>
> SGI acknowledges VU#398025 reported by CERT and has released an
> advisory to address the vulnerability on IRIX.
>
> Refer to SGI Security Advisory 20030301-01-P available from
> ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P
> or http://www.sgi.com/support/security/.
>
> The Sendmail Consortium
>
> The Sendmail Consortium suggests that sites upgrade to 8.12.8 if
> possible. Alternatively, patches are available for 8.9, 8.10, 8.11,
> and 8.12 on http://www.sendmail.org/
>
> Sendmail, Inc.
>
> All commercial releases including Sendmail Switch, Sendmail Advanced
> Message Server (which includes the Sendmail Switch MTA), Sendmail for
> NT, and Sendmail Pro are affected by this issue. Patch information is
> available at http://www.sendmail.com/security.
> _________________________________________________________________
>
> Our thanks to Internet Security Systems, Inc. for discovering this
> problem, and to Eric Allman, Claus Assmann, and Greg Shapiro of
> Sendmail for notifying us of this problem. We thank both groups for
> their assistance in coordinating the response to this problem.
> _________________________________________________________________
>
> Authors: Jeffrey P. Lanza and Shawn V. Hernan
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2003-07.html
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: cert a cert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
> EDT(GMT-4) Monday through Friday; they are on call for emergencies
> during other hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to majordomo a cert.org. Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2003 Carnegie Mellon University.
>
> Revision History
> Mar 03, 2003: Initial release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQCVAwUBPmOZEWjtSoHZUTs5AQGNUwP/YC0aRMqrFoLxUjG9pZIOBb98z8BFPfTW
> w/5u09rcW7WpH52XGaOWbu9PYtnLKtPaMrwevc38r6ILvZywasxdpUcUtR4W9XPZ
> 9EW4LYB1EaU81PLpzkQXWkVAhlX4vgHTU75oEcjfsacxXHlxtMYM1JpmyO8gvlnl
> pD4vLdvJqHE=
> =PfHu
> -----END PGP SIGNATURE-----
>
> -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
> This message was posted through the FIRST mailing list server.
> Subscriptions are managed by the FIRST Secretariat <first-sec a first.org>.
> -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
--
Maggiori informazioni sulla lista
Lug
|