作者 主題: CERT Advisory CA-2003-25 Buffer Overflow in Sendmail  (閱讀 4849 次)

0 會員 與 1 訪客 正在閱讀本文。

abelyang

  • 酷!學園 學長們
  • 俺是博士!
  • *****
  • 文章數: 1097
    • 檢視個人資料
現在換 sendmail 了,今天就發現 sendmail 8.12.10 出來了,還在想 sendmail.org
怎版本更新如此快呢 ! 8.12.9 才出沒多久  :o
不過根據我個人 try 一些 mail server banner....
大概沒有多少人更新到 8.12.9, 更何況今天的 8.12.10 呢 !
最近真熱鬧呀~預祝各位好運囉 (相信許多人不敢亂動 mail server , 因為怕動了後不 work ...不動就只能燒香了)

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-25 Buffer Overflow in Sendmail

  Original issue date: September 18, 2003
  Last revised: --
  Source: CERT/CC

  A complete revision history is at the end of this file.


Systems Affected

    * Systems  running  open-source  sendmail versions prior to 8.12.10,
      including UNIX and Linux systems

    * Commercial   releases   of  sendmail  including  Sendmail  Switch,
      Sendmail Advanced Message Server (SAMS), and Sendmail for NT


Overview

  A  vulnerability  in sendmail could allow a remote attacker to execute
  arbitrary  code  with the privileges of the sendmail daemon, typically
  root.


I. Description

  Sendmail is a widely deployed mail transfer agent (MTA). Many UNIX and
  Linux  systems  provide  a sendmail implementation that is enabled and
  running  by  default. Sendmail contains a vulnerability in its address
  parsing  code.  An  error  in  the  prescan()  function could allow an
  attacker  to  write  past  the  end  of  a  buffer,  corrupting memory
  structures.  Depending  on platform and operating system architecture,
  the  attacker  may  be able to execute arbitrary code with a specially
  crafted email message.

  This vulnerability is different than the one described in CA-2003-12.

  The   email   attack   vector   is   message-oriented  as  opposed  to
  connection-oriented. This means that the vulnerability is triggered by
  the  contents  of  a  specially  crafted  email message rather than by
  lower-level  network  traffic.  This  is important because an MTA that
  does  not  contain  the  vulnerability  may pass the malicious message
  along  to  other  MTAs  that may be protected at the network level. In
  other  words, vulnerable sendmail servers on the interior of a network
  are  still  at risk, even if the site's border MTA uses software other
  than sendmail. Also, messages capable of exploiting this vulnerability
  may pass undetected through packet filters or firewalls.

  Further  information is available in VU#784980. Common Vulnerabilities
  and Exposures (CVE) refers to this issue as CAN-2003-0694.


II. Impact

  Depending  on  platform  and  operating  system architecture, a remote
  attacker  could  execute  arbitrary  code  with  the privileges of the
  sendmail   daemon.  Unless  the  RunAsUser  option  is  set,  Sendmail
  typically runs as root


III. Solution

Upgrade or apply a patch

  This  vulnerability is resolved in Sendmail 8.12.10. Sendmail has also
  released a patch that can be applied to Sendmail 8.9.x through 8.12.9.
  Information  about specific vendors is available in Appendix A. and in
  the Systems Affected section of VU#784980.

  Sendmail  8.12.10  is  designed to correct malformed messages that are
  transferred  by  the server. This should help protect other vulnerable
  sendmail servers.

Enable the RunAsUser option

  While  there  is  no  known  complete workaround, consider setting the
  RunAsUser  option  to  reduce  the impact of this vulnerability. It is
  typically  considered  to  be  a  good  security practice to limit the
  privileges of applications and services whenever possible.


Appendix A. Vendor Information

  This  appendix  contains information provided by vendors. When vendors
  report  new  information, this section is updated, and the changes are
  noted  in  the  revision  history. If a vendor is not listed below, we
  have  not  received their direct statement. Further vendor information
  is available in the Systems Affected section of VU#784980.

Debian

    The  sendmail  and  sendmail-wide  packages  are vulnerable to this
    issue.  Updated  packages  are being prepared and will be available
    soon.

F5 Networks

    BIG-IP and 3-DNS products are not vulnerable.

IBM

    The  AIX  Security  Team  is  aware of the issues discussed in CERT
    Vulnerability Note VU#784980.

    The following APARs will be released to address this issue:

     APAR number for AIX 4.3.3: IY48659 (available approx. 10/03/03)
     APAR number for AIX 5.1.0: IY48658 (available approx. 10/15/03)
     APAR number for AIX 5.2.0: IY48657 (available approx. 10/29/03)

    An  e-fix  will  be  available shortly. The e-fix will be available
    from:

    ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_4_efix.tar.Z

    This  vendor  statement  will  be  updated  when  the e-fix becomes
    available.

Lotus

    This  is  a  sendmail-specific issue that does not affect any Lotus
    products.

Network Appliance

    NetApp products are not vulnerable to this problem.

NetBSD

    NetBSD-current  ships  with sendmail 8.12.9 since June 1, 2003. The
    patch  was  applied  on  September  17, 2003. In the near future we
    would upgrade to sendmail 8.12.10.

    Our  official  releases,  such  as  NetBSD 1.6.1, are also affected
    (they ship with older version of sendmail). They will be patched as
    soon  as  possible. We would issue NetBSD Security Advisory on this
    matter.

Openwall GNU/*/Linux

    Openwall  GNU/*/Linux  is  not  vulnerable.  We  ship  Postfix, not
    Sendmail.

Red Hat

    Red  Hat  Linux  and  Red Hat Enterprise Linux ship with a Sendmail
    package  vulnerable  to these issues. Updated Sendmail packages are
    available  along  with our advisory at the URLs below. Users of the
    Red Hat Network can update their systems using the 'up2date' tool.

    Red Hat Linux:

     http://rhn.redhat.com/errata/RHSA-2003-283.html

    Red Hat Enterprise Linux:

     http://rhn.redhat.com/errata/RHSA-2003-284.html

The Sendmail Consortium

    The  Sendmail  Consortium  recommends that sites upgrade to 8.12.10
    whenever  possible.  Alternatively,  patches are available for 8.9,
    8.10, 8.11, and 8.12 on http://www.sendmail.org/.

Sendmail Inc.

    All   commercial   releases  including  Sendmail  Switch,  Sendmail
    Advanced  Message  Server (which includes the Sendmail Switch MTA),
    Sendmail for NT, and Sendmail Pro are affected by this issue. Patch
    information is available at http://www.sendmail.com/security/.

Sun

    Sun  acknowledges  that  our  recent release of sendmail 8.12.10 is
    affected by this issue on Solaris releases S7, S8 and S9.

    A Sun Alert for this issue will be isuued very soon which will then
    be available from:

     http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/56860

    There  are no patches available at this time. The Sun Alert will be
    updated  with the patch information as it becomes available. Please
    refer to the Sun Alert when available, for more information.

SuSE

    SuSE  products shipping sendmail are affected. Update packages that
    fix  the  vulnerability  are  being  prepared and will be published
    shortly.

Appendix B. References

    * CERT/CC Vulnerability Note VU#784980 -
      <http://www.kb.cert.org/vuls/id/784980>;
    * Michal Zalewski's post to BugTraq -
      <http://www.securityfocus.com/archive/1/337839>;
    * Sendmail 8.12.10 - <http://www.sendmail.org/8.12.10.html>;
    * Sendmail patch for 8.12.9 -
      <http://www.sendmail.org/patches/parse8.359.2.8>;
    * Sendmail 8.12.10 announcement -
      <http://archives.neohapsis.com/archives/sendmail/2003-q3/0002.html
      >
    * Sendmail Secure Install -
      <http://www.sendmail.org/secure-install.html>;
 
    _________________________________________________________________

  This  vulnerability was discovered by Michal Zalewski. Thanks to Claus
  Assmann  and  Eric Allman of Sendmail for their help in preparing this
  document.
    _________________________________________________________________

  Feedback can be directed to the author, Art Manion.
  ______________________________________________________________________

  This document is available from:
  http://www.cert.org/advisories/CA-2003-25.html
  ______________________________________________________________________


CERT/CC Contact Information

  Email: cert@cert.org
         Phone: +1 412-268-7090 (24-hour hotline)
         Fax: +1 412-268-6989
         Postal address:
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         U.S.A.

  CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
  EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
  during other hours, on U.S. holidays, and on weekends.

Using encryption

  We  strongly  urge you to encrypt sensitive information sent by email.
  Our public PGP key is available from

    http://www.cert.org/CERT_PGP.key

  If  you  prefer  to  use  DES,  please  call the CERT hotline for more
  information.

Getting security information

  CERT  publications  and  other security information are available from
  our web site

    http://www.cert.org/

  To  subscribe  to  the CERT mailing list for advisories and bulletins,
  send  email  to majordomo@cert.org. Please include in the body of your
  message

  subscribe cert-advisory

  *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
  Patent and Trademark Office.
  ______________________________________________________________________

  NO WARRANTY
  Any  material furnished by Carnegie Mellon University and the Software
  Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
  Mellon University makes no warranties of any kind, either expressed or
  implied  as  to  any matter including, but not limited to, warranty of
  fitness  for  a  particular purpose or merchantability, exclusivity or
  results  obtained from use of the material. Carnegie Mellon University
  does  not  make  any warranty of any kind with respect to freedom from
  patent, trademark, or copyright infringement.
  ______________________________________________________________________

  Conditions for use, disclaimers, and sponsorship information

  Copyright 2003 Carnegie Mellon University.


Revision History

  September 18, 2003: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP2nC8jpmH2w9K/0VAQFKwwP/Vagji3+avI6eb/5C++JCjjmL0Y+JrFmD
6DWgYsOVASDUO4bUyHYiAl2BM8s3owsprTRuKFl3WOf18h++qtTOOO1oeRt+bhqP
1q6ImxjAem7kM2f5e3xdArowptIlqMXFakQ2N3gHqyfXEcmgESrFcGNS8oCV20Y4
rriFRV/lvDU=
=/mMy
-----END PGP SIGNATURE-----