Slashdot Mirror
CERT: Sendmail Distribution Contained Trojan Horse
Scoria writes "According to a CERT advisory published this afternoon, the public distribution of Sendmail 8.12.6 contained a trojan horse from September 28 to October 6. For more detailed information, please consult advisory CA-2002-28." This sounds very much like what happened to OpenSSH.
...and that's why you should actually use those MD5 checksums, instead of unpacking and installing without thinking.
everyone says just check sums, but how are these people changing the file? If they can change the tarball on the server than why not change the page to have thier md5?
According to the advisory, it was only the FTP site that was compromised (The HTTP was fine).
So, as for those that are saying it's an Open Source problem, this is just wrong.
There's been alot more closed software distributed with Viri/Trojan Horses. The truth is, this is bound to happen if the public archives are on an unsecured server...I even seem to remember pressed CDs being distributed with trojans.
So, what are they doing to keep this from happening again?
This difference, though, is that one can download a public GPG key from a site (like sendmail.org or something) and continue using it to verify software over several versions. So, for example, you could use a 2002 public GPG key to verify software in 2004 and be reasonably sure the key hasn't been tampered with for two years straight without someone noticing. With an md5sum, the checksum is only good for that version of the software and can forged much easier in the short term.
That said, I think md5sums are better for ensuring integrity, GPGs are better for ensuring security and both should be as automated as possible (like with the help of RPM and friends).
Ita erat quando hic adveni.
While sendmail is much more secure now, in the days of yore it made IIS look like fort knox.
Let's see, a Trojan Horse is basically defined as an undocumented chunk of code hiding inside a program, which does something that you don't know about or understand.
Sendmail is such a complex beast that, no matter how much you personally know about it, there are always things in there that you don't know about or understand.
So it has always been full or Trojan Horses.
This is the fundamental thing that's wrong with building a hugs program that tries to do everything possible. Pretty much all the other mail tools are better at sendmail in this respect, because they only try to be a mail tool.
Sendmail, OTOH, is an emulator for a rather complex sort of machine language. Some time back, someone demonstrated that it was possible to emulate a Turing machine with a sendmail.cf file. Impressive as this may be technically, it's way overkill for the task, and it shouldn't be any surprise to anyone when problems turn up in sendmail and aren't discoverted for a while.
It's guaranteed that there are others lurking inside that monster.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Hmmm. Except this looks a bit uglier.
Of course, the headline for that was very different. A bit more, let's say, sensationalistic. Yeah, that's the word I was looking for.
A MD5 checksum is COMPLETELY IRRELEVANT. If the primary (e.g. trusted) provider initiates a build with a tojan included, MD5 checksums mean nothing folks... checksums are used to validate downloads, not the "content" of the download...
How 'bout a quick tutorial from someone who knows pgp or gpg or MD5 on how to use it to figure out if my recent install is trojaned?
Also, the CERT advisory doesn't give any fixes, it just gives the signatures. It doesn't seem like installing a good version would eliminate the trojan.
It seems like every time a new trojan/worm/misc virus hits the scene, a thousand posts go up accusing that software of being horribly insecure and advocating some other software of the same type as being better.
It's quite simple... software can be infected by viruses, open source, closed source, any operating system or language. Just because today it's Sendmail that took a hit doesn't mean that it couldn't be qmail tomorrow.
If you got a virus, don't blame it on the software you downloaded, blame it on yourself for not validating it first.
By reading this comment, you immediately waive any and all rights regarding it.
(sorry, I have to get this out of my system)
...
:-)
READ THE ARTICLE AND REALIZE WHAT IS GOING ON!
It says that:
The FTP-server of sendmail.org was compromised.
It doesn't say that:
- somebody commited code to the CVS server.
- nobody reads the commitlog of the CVS server.
It says that:
The sendmail-distribution was trojaned.
It doesn't say that:
- sendmail itself was trojaned
- there are trojans inside sendmail
- qmail/postfix is better because it isn't trojaned.
- exchange is better because the source is closed. It's the distribution which is corrupted, not the software.
It says that:
The correct MD5-checksum is
It doesn't say that:
- with PGP signing it wouldn't be prevented. Security is a process, you need to follow the rules or you are not secure. You should check all checksum/signatures you have, preferable from independant resources (e.g. one from sendmail.com and one from your unix-distribution).
Next time, please read the article and realize what's going on before you post (apologies to the people who actually did
Edwin (yes, the guy from the OpenSSH trojan)
bash$
Right up until there I was with you. The Post Office? That's the last place I'd want with my PGP/GPG key. Because of course, as soon as a service like this was offered people would jump at the chance to use it. It could quite quickly and easily replace Passport and Project Liberty, etc. But don;t you think the government would say to themselves, oh look...we let people associate public keys with real people reliably. Let's make sure it's really reliable, and require them to give us their private key as well when they sign up. I mean they have been looking for a way to get escrow keys for a looong time, this would give them the perfect excuse.
Now who would I trust to provide this service? That's a good question. You can't really trust the government because its yet another way for them to track you. You wouldn't want to entrust it to a bank, who knows what they would do with that information. But there needs to be a place that can verify your identity and associate it with a public key. Conceivibly you could see firms whose express purpose is to provide this service. Of course this means confusion and possible incompatibilty when the person's key you want to verify and your key are under two different verification companies.
The only possible solution I can see is the classical web of trust. But again that has its own problems.
What we really need is some kind of incorruptable agency for handling this sort of thing. Of course we all know what the chance of something like that showing up is...
Why not fork?
I think sendmail.org should up the version number at once and kill the .6 version once and for all. That would allow many people to look at what they have and say "yep, its .6, throw it out" but they want to keep the old version number so people get to play games. There are many reasons why they won't have the origianl tar ball and they have a very simple way to insure people don't have the trojaned version.
I download the tarball and MD5s. Then I want to verify the signature. For that I need a public key or something like that of the developer that signed the tarball.Since I never met him, I must resort to download also that from an internet place, probably the same from which I downloaded the source.
Now, what prevents whoever cracked the server and placed the troianed tarballs on it, to also change the public key, so that it matches the couterfeit signed tarball?
At a minimum, one should go to some forum/ML and check the key with a dozen or so other users, choosing the ones that got the key in different places and times.
Or am I missing something ?
Ciao
----
FB