<<< Date Index >>>     <<< Thread Index >>>

sendmail vuln advisories (CVE-2006-0058)



the official advisory from http://www.sendmail.com/company/advisory/
===
Sendmail MTA Security Vulnerability

March 22, 2006

I. Overview

Sendmail, Inc. has recently become aware of a security vulnerability in certain versions of sendmail Mail Transfer Agent (MTA) and UNIX and Linux products that contain it. Sendmail was notified by security researchers at ISS that, under some specific timing conditions, this vulnerability may permit a specifically crafted attack to take over the sendmail MTA process, allowing remote attackers to execute commands and run arbitrary programs on the system running the MTA, affecting email delivery, or tampering with other programs and data on this system. This vulnerability is being tracked as CVE-2006-0058 and can be found at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058.

Sendmail is not aware of any public exploit code for this vulnerability. This connection-oriented vulnerability does not occur in the normal course of sending and receiving email. It is only triggered when specific conditions are created through SMTP connection layer commands.

Sendmail has confirmed the technical issue exposing this vulnerability and is providing patches that resolve it in our open source and commercial products. Sendmail has also alerted CERT® Coordination Center (CERT/CC), who has notified US-CERT. In close coordination with CERT/CC and Internet Security Systems (ISS), Sendmail has taken the following actions:

1. Implemented and certified software patches for open source sendmail MTA versions 8.12 and 8.13 2. Implemented and certified software patches/upgrades for impacted commercial Sendmail products 3. Worked with ISS to validate the developed patches and assure their effectiveness 4. Collaborated with CERT/CC to notify and provide other vendors who use the sendmail MTA with the required source code patches

II. Impact

Within certain operating system architectures, a remote attacker may be able to force certain timing conditions that would allow execution of arbitrary code or commands on a vulnerable system. Systems running an MTA are typically deployed in the DMZ as a gateway for delivering inbound and outbound email, though they may also be used for internal email delivery between systems or applications. In the case of a compromised system, an attack could lead to exposure, deletion, or modification of programs and data on the affected system, interference with or interception of email delivery, and potentially unauthorized access to other systems in the network. Systems running any of the following software are considered vulnerable:
Open Source

         1. Sendmail 8.13.5 and earlier versions

Sendmail Commercial Products

1. Sendmail Switch, Managed MTA, and Multi-Switch v 3.1.7 and earlier for Solaris, Linux, AIX, and HP-UX
         2. Sendmail Sentrion 1.1 Appliance
3. Sendmail Advanced Message Server and Message Store v 2.2 and earlier for Solaris, Linux, AIX, and HP-UX
         4. Intelligent Quarantine 3.0 for Solaris and Linux

3rd Party Products Containing the MTA

Sendmail working with CERT/CC has notified affected vendors and provided them with source code patches to sendmail MTA 8.12 and 8.13 for use in their affected products. CERT/CC will publish specific vendor information on the availability of customer patches.
III. Mitigation and Solution
Mitigation - Enable the RunAsUser option

The impact of this vulnerability can be reduced by setting the RunAsUser option in the configuration file. Details are available in Sendmail?s Knowledgebase article S10621 at https://www.sendmail.com/cfusion/CFIDE/kb_doc.cfm?kb_id=S10621 or in this PDF document http://www.sendmail.com/company/advisory/runasuser.pdf. It is a good security practice to limit the privileges of applications and services whenever possible. Setting the RunAsUser option will limit privileges available to a remote attacker to those of a non-root user.
Solution ? Upgrade or Apply a Patch

On March 22, 2006, Sendmail has released to all customers patches/upgrades to the current version of the affected products. Customers with versions of the product that are not supported will be provided with an upgrade to the most current version of the software and the related patch. Sendmail is also notifying customers without support of a special opportunity to renew their support agreement. The following table summarizes recommended actions by product version and platform.

<see original advisory for table>

Customers with current support agreements can review Knowledgebase entries posted for all of the above products at http://www.sendmail.com/customerlogin/. With any additional questions, please contact Sendmail Technical Support by logging a case online. Customers without login to Knowledgebase can review this information at http://www.sendmail.com/support/.

Customers without current support agreements are advised of the following special support opportunities:

1. For customers who re-instate lapsed support agreements by April 28th, 2006 by purchasing current product version and one year support, Sendmail will waive the re-instatement fee normally charged for lapsed time.

Customers re-instating their support are entitled to future product upgrades, including Switch/Multiswitch 3.2 (planned for availability in April 2006) with the following enhancements:

1. Integration of sendmail MTA 8.13 with support for a number of new threat protection and management features 2. Flow Control reporting and monitoring integrated in Switch UI for individual systems or the entire cluster 3. Asynchronous deployment and monitoring across all cluster members, enabling these activities to run in parallel 4. DKIM signing of outgoing email and DK/DKIM validation of incoming email, enabling classification of validly signed, forged, or unsigned messages to reduce the risk of phishing and spoofing 5. Customers may request a limited technical support option for assistance with upgrading to Switch 3.1 product version. This email-only support option is available free of charge until April 28th, 2006 and for a one time charge of $949.00 thereafter.

To take advantage of these limited time support opportunities, please contact Sendmail by phone (see numbers below) or by email to customerservice@xxxxxxxxxxxx to request one of these options.

Phone contact information:
<see original advisory for table> 

* If this is your first time accessing Sendmail's support system since February 6th, 2006, you will need to set up a new password. Please follow these steps:

   1. Visit https://www.sendmail.com/cfusion/CFIDE/nupw.cfm
   2. Enter your email address and select the "Submit" button.
3. An email message containing a temporary password will be sent to your email address. Follow the instructions in that message to create a permanent password.


IV. FAQ

How was this issue discovered?

Sendmail was recently notified by security researchers at ISS that they discovered certain timing conditions that may permit a specifically crafted attack to take over the sendmail MTA process. How difficult would it be for someone to exploit this theoretical vulnerability?

This requires creating very specific timing conditions using SMTP connection layer commands and delivering specific email payload. Someone with specific network programming skills would be required to create a successful exploit.
Has anyone been impacted by this?

No, this is a theoretical vulnerability that does not occur during the normal course of sending and receiving email. Sendmail is not aware of any public exploits for this issue on the Internet.
What should a user look for to know if they have been impacted?

There are no known exploits with specific trails that a user could look for at this time.
What could happen if someone does exploit this?

In theory, the attacker may gain the privileges of the sendmail process running on a system and run arbitrary commands and code, subject to those privileges. This could allow someone to interfere with email delivery, tamper with other programs and data on the systems, or try to gain access to other systems on the same network.
Are sendmail MTAs behind my firewall vulnerable?

Most vulnerable MTAs are the ones that are directly accessible to the outside world. These are gateway MTAs that are directly connected to the Internet or are behind a firewall that allows port 25 traffic to pass through. These servers should be patched first. An MTA deployed on an internal network is not vulnerable to an outside attack, but could be affected by an attack launched from the internal network.
Is this a recently introduced problem, or has it been present for some time?

This problem has been present for some time, and it has only recently been discovered through some very specific conditions created in the lab.
Has Sendmail had similar security issues in the past?

Previous to this issue Sendmail had a few issues raised in 2003, which where quickly addressed. Although this type of occurrence is not uncommon in the industry, Sendmail has established procedures to quickly and pro-actively respond to security issues. ISS has complimented Sendmail for our quick and comprehensive response, welcoming our efforts to not only resolve the reported issue, but to deploy additional resources to review and update any related code.
What are you doing to notify affected users?

Sendmail has worked with CERT/CC to manage the communications process for affected vendors, whose products may be based on the sendmail MTA software. We are also notifying the open source community and our commercial customers about this issue and immediate availability of patches and upgrades to correct it.
What should users do until they can install the patches?

Users of sendmail MTA should ensure that they use the RunAsUser configuration option in their environment to reduce the scope of privileges available to the sendmail process. While this doesn?t close the vulnerability, it reduces the impact of any potential exploitation.
What should the users do to request the patches?

Sendmail is notifying our commercial customers about the patches for specific product releases and platforms and providing the information on how to download and obtain these patches or upgrades. Open source users can get patches from ftp://ftp.sendmail.org/pub/sendmail/ and should also subscribe to sendmail-announce mailing list for any other updates by sending mail to sendmail-announce-request@xxxxxxxxxxxxxxxxxxx
What about 3rd party vendors using the sendmail MTA?

Sendmail has worked with CERT/CC to notify the vendors and provide source code patches. Please monitor CERT/CC vulnerabilities page at http://www.cert.org/nav/index_red.html for updates on patch availability from other vendors.
What versions of the Open Source sendmail MTA are affected?

Versions of the MTA prior to 8.13.5 are affected by this issue. Open source patches are available for 8.12 and 8.13 versions as 8.12.11.20060308 and 8.13.6. The Sendmail Consortium strongly suggests that users upgrade to 8.13.6. Please refer to http://www.sendmail.org/8.13.6.html for more details.
How important is this issue, how quickly should I plan to upgrade?

Sendmail?s threat assessment of this issue is Risk: Medium; Impact: High. Sendmail recommends that customers plan to upgrade their externally accessible MTAs as part of their regularly scheduled maintenance, followed by upgrade to any internal MTAs at a convenient time.
Is this issue related to the recent OpenSSL security advisory?

No, this vulnerability is not related to OpenSSL advisory CAN-2005-2969 (Potential SSL 2.0 Rollback). However, the Switch 3.1.8 cumulative patch also provides an upgrade to OpenSSL that addresses the issue documented in that advisory.
What are all the new changes included in the 3.1.8 patch?

This patch is cumulative to Switch 3.1.7 patch, and includes the following:

         1. Changes to the sendmail MTA binary to resolve this vulnerability
         2. A few additional MTA fixes to resolve customer issues
         3. Upgrade of 3rd party packages, including:
1. OpenSSL is upgraded to version 0.9.6m and includes a fix for CAN-2005-2969 (Potential SSL 2.0 Rollback).
               2. Apache is upgraded to version 1.3.34.
               3. Mod SSL upgraded to 2.8.25-1.3.34.

How can I verify this is a legitimate security advisory?

Customers can contact Sendmail Technical Support as listed on http://www.sendmail.com/support/contact/ to verify the authenticity of this advisory. The email notification sent to Sendmail customers is signed with PGP, using Sendmail, Inc. Security Officer PGP key, available at: http://www.sendmail.com/security/security-officer.asc. In addition, a PGP signed copy is available for download at: http://www.sendmail.com/company/advisory/index.shtml, signed with the same key.
===

the advisory from the discoverers from http://xforce.iss.net/xforce/alerts/id/216
===
Internet Security Systems Protection Advisory
March 22, 2006

Sendmail Remote Signal Handling Vulnerability

Summary:

ISS has shipped protection for a flaw X-Force has discovered in
the Sendmail server software. By sending malicious data at certain
time intervals, it is possible for a remote attacker to corrupt arbitrary
stack memory and gain control of the affected host.

ISS Protection Strategy:

ISS has provided preemptive protection for these vulnerabilities. We
recommend that all customers apply applicable ISS product updates.

Network Sensor 7.0 and Proventia A:
XPU 24.29 / 2/14/06
SMTP_Timeout_Bo

Proventia G100/G200/G1000/G1200 prior to Firmware Version 1.2:
XPU 24.29 / 2/14/06
SMTP_Timeout_Bo

Proventia G100/G200/G1000/G1200/G400/G2000 Firmware Version 1.2 or
later:
XPU 1.68 / 2/14/06
SMTP_Timeout_Bo

Proventia M:
XPU 1.68 / 2/14/06
SMTP_Timeout_Bo

Server Sensor 7.0:
Buffer Overflow Exploit Protection (BOEP)
XPU 24.29 / 2/14/06
SMTP_Timeout_Bo

Proventia Server:
Buffer Overflow Exploit Protection (BOEP)
Version 1.0.914.300 / 2/14/06
SMTP_Timeout_Bo

Proventia Desktop:
Buffer Overflow Exploit Protection (BOEP)
Version 8.0.675.1200 / 2/14/06
SMTP_Timeout_Bo

RealSecure Desktop 7.0:
Version EOZ / 2/14/06
SMTP_Timeout_Bo

BlackICE Agent for Server 3.6:
Version EOZ / 2/14/06
SMTP_Timeout_Bo

BlackICE PC Protection 3.6:
Version COZ / 2/14/06
SMTP_Timeout_Bo

BlackICE Server Protection 3.6:
Version COZ / 2/14/06
SMTP_Timeout_Bo

These updates are now available from the ISS Download Center at:
http://www.iss.net/download.

Business Impact:

Compromise of networks and machines using affected versions of Sendmail
may lead to exposure of confidential information, loss of productivity,
and further network compromise. An attacker does not need to entice any
kind of user interaction to trigger this vulnerability.
Successful exploitation would grant an attacker the privileges that the
sendmail server daemon is running with.

Affected Products:

Sendmail 8.13.X ? all versions

Note: SendmailX is NOT affected by this vulnerability.

Description:

Sendmail is a popular SMTP server daemon used on mail gateways and
forwarders to route and deliver email. It is primarily used in
UNIX server environments, although versions exist for Windows as well.

Sendmail contains a signal race vulnerability when receiving and
processing mail data from remote clients. Sendmail utilizes a signal
handler for dealing with timeouts that is not async-safe and interruption
of certain functions by this signal handler will cause static data
elements to be left in an inconsistent state. These data elements can be
used to write data to invalid parts of the stack (or heap in some
scenarios), thus taking control of the vulnerable process.

In order to exploit this vulnerability, an attacker simply needs to be
able to connect to sendmail SMTP server. This is a multi-shot exploit,
meaning the attacker can attempt to exploit it an indefinite amount
of times, since sendmail spawns a new process for each connected
client.

The ISS X-Press Updates detailed above have the ability to protect
against attack attempts targeted at Sendmail.

Additional Information:

Sendmail Security Bulletin:
http://www.sendmail.org/8.13.6.html

Credit:

This vulnerability was discovered and researched by Mark Dowd of the ISS X-Force.

______

About Internet Security Systems, Inc.
Internet Security Systems, Inc. (ISS) is the trusted security advisor
to thousands of the world?s leading businesses and governments,
providing preemptive protection for networks, desktops and
servers. An established leader in security since 1994, ISS?
integrated security platform automatically protects against both
known and unknown threats, keeping networks up and running and
shielding customers from online attacks before they impact business
assets. ISS products and services are based on the proactive
security intelligence of its X-Force® research and development
team ? the unequivocal world authority in vulnerability
and threat research. ISS? product line is also complemented
by comprehensive Managed Security Services. For more information,
visit the Internet Security Systems Web site at www.iss.net
or call 800-776-2362.
===