[Nottingham] [Fwd: CERT Advisory CA-2003-25 Buffer Overflow in Sendmail]

Phil Lakin nottingham at mailman.lug.org.uk
Thu Sep 18 18:00:02 2003


Just in case anyone else is bored, 

Time to upgrade sendmail again.

Phil

-----Forwarded Message-----
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: CERT Advisory CA-2003-25 Buffer Overflow in Sendmail
Date: Thu, 18 Sep 2003 10:37:39 -0400


-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-25 Buffer Overflow in Sendmail

   Original issue date: September 18, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.


Systems Affected

     * Systems  running  open-source  sendmail versions prior to 8.12.10,
       including UNIX and Linux systems

     * Commercial   releases   of  sendmail  including  Sendmail  Switch,
       Sendmail Advanced Message Server (SAMS), and Sendmail for NT


Overview

   A  vulnerability  in sendmail could allow a remote attacker to execute
   arbitrary  code  with the privileges of the sendmail daemon, typically
   root.


I. Description

   Sendmail is a widely deployed mail transfer agent (MTA). Many UNIX and
   Linux  systems  provide  a sendmail implementation that is enabled and
   running  by  default. Sendmail contains a vulnerability in its address
   parsing  code.  An  error  in  the  prescan()  function could allow an
   attacker  to  write  past  the  end  of  a  buffer,  corrupting memory
   structures.  Depending  on platform and operating system architecture,
   the  attacker  may  be able to execute arbitrary code with a specially
   crafted email message.

   This vulnerability is different than the one described in CA-2003-12.

   The   email   attack   vector   is   message-oriented  as  opposed  to
   connection-oriented. This means that the vulnerability is triggered by
   the  contents  of  a  specially  crafted  email message rather than by
   lower-level  network  traffic.  This  is important because an MTA that
   does  not  contain  the  vulnerability  may pass the malicious message
   along  to  other  MTAs  that may be protected at the network level. In
   other  words, vulnerable sendmail servers on the interior of a network
   are  still  at risk, even if the site's border MTA uses software other
   than sendmail. Also, messages capable of exploiting this vulnerability
   may pass undetected through packet filters or firewalls.

   Further  information is available in VU#784980. Common Vulnerabilities
   and Exposures (CVE) refers to this issue as CAN-2003-0694.


II. Impact

   Depending  on  platform  and  operating  system architecture, a remote
   attacker  could  execute  arbitrary  code  with  the privileges of the
   sendmail   daemon.  Unless  the  RunAsUser  option  is  set,  Sendmail
   typically runs as root.


III. Solution

Upgrade or apply a patch

   This  vulnerability is resolved in Sendmail 8.12.10. Sendmail has also
   released a patch that can be applied to Sendmail 8.9.x through 8.12.9.
   Information  about specific vendors is available in Appendix A. and in
   the Systems Affected section of VU#784980.

   Sendmail  8.12.10  is  designed to correct malformed messages that are
   transferred  by  the server. This should help protect other vulnerable
   sendmail servers.

Enable the RunAsUser option

   While  there  is  no  known  complete workaround, consider setting the
   RunAsUser  option  to  reduce  the impact of this vulnerability. It is
   typically  considered  to  be  a  good  security practice to limit the
   privileges of applications and services whenever possible.


Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information, this section is updated, and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have  not  received their direct statement. Further vendor information
   is available in the Systems Affected section of VU#784980.

Debian

     The  sendmail  and  sendmail-wide  packages  are vulnerable to this
     issue.  Updated  packages  are being prepared and will be available
     soon.

F5 Networks

     BIG-IP and 3-DNS products are not vulnerable.

IBM

     The  AIX  Security  Team  is  aware of the issues discussed in CERT
     Vulnerability Note VU#784980.

     The following APARs will be released to address this issue:

      APAR number for AIX 4.3.3: IY48659 (available approx. 10/03/03)
      APAR number for AIX 5.1.0: IY48658 (available approx. 10/15/03)
      APAR number for AIX 5.2.0: IY48657 (available approx. 10/29/03)

     An  e-fix  will  be  available shortly. The e-fix will be available
     from:

     ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_4_efix.tar.Z

     This  vendor  statement  will  be  updated  when  the e-fix becomes
     available.

Lotus

     This  is  a  sendmail-specific issue that does not affect any Lotus
     products.

Network Appliance

     NetApp products are not vulnerable to this problem.

NetBSD

     NetBSD-current  ships  with sendmail 8.12.9 since June 1, 2003. The
     patch  was  applied  on  September  17, 2003. In the near future we
     would upgrade to sendmail 8.12.10.

     Our  official  releases,  such  as  NetBSD 1.6.1, are also affected
     (they ship with older version of sendmail). They will be patched as
     soon  as  possible. We would issue NetBSD Security Advisory on this
     matter.

Openwall GNU/*/Linux

     Openwall  GNU/*/Linux  is  not  vulnerable.  We  ship  Postfix, not
     Sendmail.

Red Hat

     Red  Hat  Linux  and  Red Hat Enterprise Linux ship with a Sendmail
     package  vulnerable  to these issues. Updated Sendmail packages are
     available  along  with our advisory at the URLs below. Users of the
     Red Hat Network can update their systems using the 'up2date' tool.

     Red Hat Linux:

      http://rhn.redhat.com/errata/RHSA-2003-283.html

     Red Hat Enterprise Linux:

      http://rhn.redhat.com/errata/RHSA-2003-284.html

The Sendmail Consortium

     The  Sendmail  Consortium  recommends that sites upgrade to 8.12.10
     whenever  possible.  Alternatively,  patches are available for 8.9,
     8.10, 8.11, and 8.12 on http://www.sendmail.org/.

Sendmail Inc.

     All   commercial   releases  including  Sendmail  Switch,  Sendmail
     Advanced  Message  Server (which includes the Sendmail Switch MTA),
     Sendmail for NT, and Sendmail Pro are affected by this issue. Patch
     information is available at http://www.sendmail.com/security/.

Sun

     Sun  acknowledges  that  our  recent release of sendmail 8.12.10 is
     affected by this issue on Solaris releases S7, S8 and S9.

     A Sun Alert for this issue will be isuued very soon which will then
     be available from:

      http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/56860

     There  are no patches available at this time. The Sun Alert will be
     updated  with the patch information as it becomes available. Please
     refer to the Sun Alert when available, for more information.

SuSE

     SuSE  products shipping sendmail are affected. Update packages that
     fix  the  vulnerability  are  being  prepared and will be published
     shortly.

Appendix B. References

     * CERT/CC Vulnerability Note VU#784980 -
       <http://www.kb.cert.org/vuls/id/784980>
     * Michal Zalewski's post to BugTraq -
       <http://www.securityfocus.com/archive/1/337839>
     * Sendmail 8.12.10 - <http://www.sendmail.org/8.12.10.html>
     * Sendmail patch for 8.12.9 -
       <http://www.sendmail.org/patches/parse8.359.2.8>
     * Sendmail 8.12.10 announcement -
       <http://archives.neohapsis.com/archives/sendmail/2003-q3/0002.html
       >
     * Sendmail Secure Install -
       <http://www.sendmail.org/secure-install.html>
   
     _________________________________________________________________

   This  vulnerability was discovered by Michal Zalewski. Thanks to Claus
   Assmann  and  Eric Allman of Sendmail for their help in preparing this
   document.
     _________________________________________________________________

   Feedback can be directed to the author, Art Manion.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-25.html
   ______________________________________________________________________


CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

     http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site

     http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.


Revision History

   September 18, 2003: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP2nC8jpmH2w9K/0VAQFKwwP/Vagji3+avI6eb/5C++JCjjmL0Y+JrFmD
6DWgYsOVASDUO4bUyHYiAl2BM8s3owsprTRuKFl3WOf18h++qtTOOO1oeRt+bhqP
1q6ImxjAem7kM2f5e3xdArowptIlqMXFakQ2N3gHqyfXEcmgESrFcGNS8oCV20Y4
rriFRV/lvDU=
=/mMy
-----END PGP SIGNATURE-----