remote root sendmail security hole - Security

This is a discussion on remote root sendmail security hole - Security ; "A serious sendmail security hole" http://lwn.net/Articles/176596/ "It's been a while since we had a good sendmail vulnerability...but we need wait no longer. Sendmail 8.13.6 has just been released in response to a security issue which could lead to a remote ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: remote root sendmail security hole

  1. remote root sendmail security hole


    "A serious sendmail security hole"
    http://lwn.net/Articles/176596/

    "It's been a while since we had a good sendmail vulnerability...but we
    need wait no longer. Sendmail 8.13.6 has just been released in response to
    a security issue which could lead to a remote root exploit. This looks
    like a good one to fix in a hurry. Distributor updates have been seen so
    far from:

    Red Hat ; SUSE ; OpenPKG ; Gentoo ; Slackware ; Fedora (FC5, FC4)
    "

    "sendmail 8.13.6 available"
    http://lwn.net/Articles/176595/

    "From: Claus Assmann
    To: sendmail-announce-AT-sendmail.org
    Subject: sendmail 8.13.6 available
    Date: Wed, 22 Mar 2006 08:02:11 -0800 (PST)

    Archive-link: Article, Thread

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Sendmail, Inc., and the Sendmail Consortium announce the availability
    of sendmail 8.13.6. It contains a fix for a security problem
    discovered by Mark Dowd of ISS X-Force. Sendmail thanks ISS for
    bringing this problem to our attention and reviewing the patch for
    it. sendmail 8.13.6 also includes fixes for other potential problems,
    see the release notes below for more details. Sendmail urges all
    users to upgrade to sendmail 8.13.6. ...
    "

    Robert
    --
    Robert M. Stockmann - RHCE
    Network Engineer - UNIX/Linux Specialist
    crashrecovery.org stock@stokkie.net

  2. Re: remote root sendmail security hole

    Some more details, this appears to be real.

    http://www.cve.mitre.org/cgi-bin/cve...=CVE-2006-0058
    http://www.sendmail.com/company/advisory/index.shtml

    Sendmail, Inc. has recently become aware of a security vulnerability in
    certain versions of sendmail Mail Transfer Agent (MTA) and UNIX and Linux
    products that contain it. Sendmail was notified by security researchers
    at ISS that, under some specific timing conditions, this vulnerability
    may permit a specifically crafted attack to take over the sendmail MTA
    process, allowing remote attackers to execute commands and run arbitrary
    programs on the system running the MTA, affecting email delivery, or
    tampering with other programs and data on this system. This
    vulnerability is being tracked as CVE-2006-0058 and can be found at
    http://www.cve.mitre.org/cgi-bin/cve...=CVE-2006-0058.

    Sendmail is not aware of any public exploit code for this vulnerability.
    This connection-oriented vulnerability does not occur in the normal
    course of sending and receiving email. It is only triggered when
    specific conditions are created through SMTP connection layer commands.

    ....

    Within certain operating system architectures, a remote attacker may be
    able to force certain timing conditions that would allow execution of
    arbitrary code or commands on a vulnerable system. Systems running an MTA
    are typically deployed in the DMZ as a gateway for delivering inbound and
    outbound email, though they may also be used for internal email delivery
    between systems or applications. In the case of a compromised system, an
    attack could lead to exposure, deletion, or modification of programs and
    data on the affected system, interference with or interception of email
    delivery, and potentially unauthorized access to other systems in the
    network. Systems running any of the following software are considered
    vulnerable:
    Open Source

    1. Sendmail 8.13.5 and earlier versions


  3. Re: remote root sendmail security hole

    Jem Berkes wrote:
    >>"A serious sendmail security hole"
    >>http://lwn.net/Articles/176596/

    >
    >
    > LOL who uses sendmail with its security track record?


    Most unix systems and large ISPs... but what does that mean...

    > People will never learn.


    Such a shame: not everyone is enlightened

    > About as shocking as a BIND root hole


    Yes, let's shutdown named, also

  4. Re: remote root sendmail security hole

    On Thu, 23 Mar 2006 02:02:21 +0100, Robert M. Stockmann wrote:

    > "A serious sendmail security hole"
    > http://lwn.net/Articles/176596/


    Based on the CVE creation date, this bug was discovered almost 4 months
    ago.

    According to the advisory

    http://www.sendmail.com/company/advisory/index.shtml

    This is CVE-2006-0058, which is currently marked as 'reserved and created
    on 01-01-2006.

    http://www.cve.mitre.org/cgi-bin/cve...=CVE-2006-0058

  5. Re: remote root sendmail security hole

    On Wed, 22 Mar 2006 19:32:05 -0600, Jem Berkes wrote:

    >> "A serious sendmail security hole"
    >> http://lwn.net/Articles/176596/

    >
    > LOL who uses sendmail with its security track record? People will never
    > learn.
    >
    > About as shocking as a BIND root hole


    well this one is serious :

    http://xforce.iss.net/xforce/alerts/id/216

    Advisories

    Internet Security Systems Protection Advisory
    March 22, 2006

    Sendmail Remote Signal Handling Vulnerability

    Summary:

    ISS has shipped protection for a flaw X-Force has discovered in
    the Sendmail server software. By sending malicious data at certain
    time intervals, it is possible for a remote attacker to corrupt arbitrary
    stack memory and gain control of the affected host.

    ISS Protection Strategy:

    ISS has provided preemptive protection for these vulnerabilities. We
    recommend that all customers apply applicable ISS product updates.

    Network Sensor 7.0 and Proventia A:
    XPU 24.29 / 2/14/06
    SMTP_Timeout_Bo

    Proventia G100/G200/G1000/G1200 prior to Firmware Version 1.2:
    XPU 24.29 / 2/14/06
    SMTP_Timeout_Bo

    Proventia G100/G200/G1000/G1200/G400/G2000 Firmware Version 1.2 or
    later:
    XPU 1.68 / 2/14/06
    SMTP_Timeout_Bo

    Proventia M:
    XPU 1.68 / 2/14/06
    SMTP_Timeout_Bo

    Server Sensor 7.0:
    Buffer Overflow Exploit Protection (BOEP)
    XPU 24.29 / 2/14/06
    SMTP_Timeout_Bo

    Proventia Server:
    Buffer Overflow Exploit Protection (BOEP)
    Version 1.0.914.300 / 2/14/06
    SMTP_Timeout_Bo

    Proventia Desktop:
    Buffer Overflow Exploit Protection (BOEP)
    Version 8.0.675.1200 / 2/14/06
    SMTP_Timeout_Bo

    RealSecure Desktop 7.0:
    Version EOZ / 2/14/06
    SMTP_Timeout_Bo

    BlackICE Agent for Server 3.6:
    Version EOZ / 2/14/06
    SMTP_Timeout_Bo

    BlackICE PC Protection 3.6:
    Version COZ / 2/14/06
    SMTP_Timeout_Bo

    BlackICE Server Protection 3.6:
    Version COZ / 2/14/06
    SMTP_Timeout_Bo

    These updates are now available from the ISS Download Center at:
    http://www.iss.net/download.

    Business Impact:

    Compromise of networks and machines using affected versions of Sendmail
    may lead to exposure of confidential information, loss of productivity,
    and further network compromise. An attacker does not need to entice any
    kind of user interaction to trigger this vulnerability.
    Successful exploitation would grant an attacker the privileges that the
    sendmail server daemon is running with.

    Affected Products:

    Sendmail 8.13.5 and earlier versions
    Sendmail 8.12.10 and earlier versions

    Note: SendmailX is NOT affected by this vulnerability.
    Additional versions may be affected, please contact your vendor for
    confirmation.

    Description:

    Sendmail is a popular SMTP server daemon used on mail gateways and
    forwarders to route and deliver email. It is primarily used in
    UNIX server environments, although versions exist for Windows as well.

    Sendmail contains a signal race vulnerability when receiving and
    processing mail data from remote clients. Sendmail utilizes a signal
    handler for dealing with timeouts that is not async-safe and interruption
    of certain functions by this signal handler will cause static data
    elements to be left in an inconsistent state. These data elements can be
    used to write data to invalid parts of the stack (or heap in some
    scenarios), thus taking control of the vulnerable process.

    In order to exploit this vulnerability, an attacker simply needs to be
    able to connect to sendmail SMTP server. This is a multi-shot exploit,
    meaning the attacker can attempt to exploit it an indefinite amount
    of times, since sendmail spawns a new process for each connected
    client.

    The ISS X-Press Updates detailed above have the ability to protect
    against attack attempts targeted at Sendmail.

    Additional Information:

    Sendmail Security Bulletin:
    http://www.sendmail.org/8.13.6.html

    Credit:

    This vulnerability was discovered and researched by Mark Dowd of the ISS X-Force.

    ______

    About Internet Security Systems, Inc.
    Internet Security Systems, Inc. (ISS) is the trusted security advisor
    to thousands of the world's leading businesses and governments,
    providing preemptive protection for networks, desktops and
    servers. An established leader in security since 1994, ISS'
    integrated security platform automatically protects against both
    known and unknown threats, keeping networks up and running and
    shielding customers from online attacks before they impact business
    assets. ISS products and services are based on the proactive
    security intelligence of its X-ForceŽ research and development
    team -- the unequivocal world authority in vulnerability
    and threat research. ISS' product line is also complemented
    by comprehensive Managed Security Services. For more information,
    visit the Internet Security Systems Web site at www.iss.net
    or call 800-776-2362.

    Copyright (c) 2005 Internet Security Systems, Inc. All rights reserved
    worldwide.

    This document is not to be edited or altered in any way without the
    express written consent of Internet Security Systems, Inc. If you wish
    to reprint the whole or any part of this document, please email

    xforce@iss.net for permission. You may provide links to this document
    from your web site, and you may make copies of this document in
    accordance with the fair use doctrine of the U.S. copyright laws.

    Disclaimer: The information within this document may change without notice.
    Use of this information constitutes acceptance for use in an AS IS
    condition. There are NO warranties, implied or otherwise, with regard to
    this information or its use. Any use of this information is at the
    user's risk. In no event shall the author/distributor (Internet Security
    Systems X-Force) be held liable for any damages whatsoever arising out
    of or in connection with the use or spread of this information.

    X-Force PGP Key available on MIT's PGP key server and PGP.com's key
    server, as well as at http://www.iss.net/security_center/sensitive.php
    Please send suggestions, updates, and comments to: X-Force

    xforce@iss.net of Internet Security Systems, Inc.

    Revisions:

    Version 1.0 Mar 22, 2006 - Initial alert release
    Version 1.1 Mar 22, 2006 - Affected platforms updated

    --
    Robert M. Stockmann - RHCE
    Network Engineer - UNIX/Linux Specialist
    crashrecovery.org stock@stokkie.net


  6. Re: remote root sendmail security hole

    Jem Berkes (06-03-22 19:32:05):

    > About as shocking as a BIND root hole


    By the way, what would you recommend as a BIND replacement?


    Regards.

  7. Re: remote root sendmail security hole

    Jem Berkes writes:

    >> "A serious sendmail security hole"
    >> http://lwn.net/Articles/176596/


    >LOL who uses sendmail with its security track record? People will never
    >learn.


    Be fair. Sendmail has had very few holes discovered in the past few years.

    >About as shocking as a BIND root hole



  8. Re: remote root sendmail security hole

    >> About as shocking as a BIND root hole
    >
    > By the way, what would you recommend as a BIND replacement?


    Luckily I never had to run a nameserver myself, but I would use djbdns over
    BIND any day
    http://cr.yp.to/djbdns.html

    I have used components of it (like the local cache) but never configured
    the whole thing. I doubt it is any more difficult to use than BIND, and
    it's definitely more resource efficient.

    --
    Jem Berkes
    Software design for Windows and Linux/Unix-like systems
    http://www.sysdesign.ca/

  9. Re: remote root sendmail security hole

    On Thu, 23 Mar 2006 05:35:01 +0000, Unruh wrote:
    > Jem Berkes writes:
    >
    >>> "A serious sendmail security hole"
    >>> http://lwn.net/Articles/176596/

    >
    >>LOL who uses sendmail with its security track record? People will never
    >>learn.

    >
    > Be fair. Sendmail has had very few holes discovered in the past few years.


    Indeed, its a remote-root whenever there is however.

    >>About as shocking as a BIND root hole


    groupadd named
    useradd -d /var/named -g named -s /bin/false named

    chgrp named /etc/named.conf /etc/rndc.*
    chmod g+r /etc/named.conf /etc/rndc.*
    chown -R named:named /var/named /var/run/named

    /usr/bin/named -u named

    --
    -Menno.


  10. Re: remote root sendmail security hole

    "Menno Duursma" wrote in message
    newsan.2006.03.23.08.53.43.298218@desktop.lan

    >> Be fair. Sendmail has had very few holes discovered in the past few
    >> years.

    >
    > Indeed, its a remote-root whenever there is however.


    sendmail is not default suid root for some time now. The pre-8.13.6
    vulnerability allows exploits only at the privilege of the sendmail process
    user.



  11. Re: remote root sendmail security hole


    "Jem Berkes" wrote in message
    news:Xns978ED0EA635D7jbuserspc9org@216.196.97.131. ..
    > > "A serious sendmail security hole"
    > > http://lwn.net/Articles/176596/

    >
    > LOL who uses sendmail with its security track record? People will never
    > learn.
    >
    > About as shocking as a BIND root hole
    >
    > --
    > Jem Berkes
    > Software design for Windows and Linux/Unix-like systems
    > http://www.sysdesign.ca/



    Good luck coding an exploit for it



+ Reply to Thread