Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sendmail Hit by Data Interception Flaw

Posted by ryuzaki0 on from the bumps-in-the-night dept.

ricepudd writes "Computer Weekly reports that Internet security researchers have discovered a serious flaw in Sendmail. The flaw could allow remote attackers to take control of users' PCs. The Sendmail Consortium urged users to upgrade to version 8.13.6 of the software, which contains a fix to the problem. Computer Weekly seems to think that the fact that the Windows version isn't affected will help curtail the threat."

9 of 208 comments (clear)

  1. Flaw seems unexploited by rg3 · · Score: 5, Informative

    As everyone who follows the Slackware changelog, new packages were available yesterday. It seems there is still no exploit for this flaw, and it's somehow hard to exploit. That's the impression I got from the changelog entry. I'll paste it here:

    n/sendmail-8.13.6-i486-1.tgz: Upgraded to sendmail-8.13.6.
                  This new version of sendmail contains a fix for a security problem
                  discovered by Mark Dowd of ISS X-Force. From sendmail's advisory:
                  Sendmail was notified by security researchers at ISS that, under some
                  specific timing conditions, this vulnerability may permit a specifically
                  crafted attack to take over the sendmail MTA process, allowing remote
                  attackers to execute commands and run arbitrary programs on the system
                  running the MTA, affecting email delivery, or tampering with other
                  programs and data on this system. Sendmail is not aware of any public
                  exploit code for this vulnerability. This connection-oriented
                  vulnerability does not occur in the normal course of sending and
                  receiving email. It is only triggered when specific conditions are
                  created through SMTP connection layer commands.
                  Sendmail's complete advisory may be found here:
                  http://www.sendmail.com/company/advisory/index.sht ml
                  The CVE entry for this issue may be found here:
                  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2006-0058
                  (* Security fix *)

    1. Re:Flaw seems unexploited by cperciva · · Score: 5, Informative

      FreeBSD also has details in their security notification. Those guys are fast - if you want to have up to date info on security vulns., FreeBSD has them (usually with patches) way before the news hits slashdot

      We do our best. :-)

      Seriously though, CERT told us that the embargo was going to end at 16:00 UTC, so I had a shell window open with a series of "cvs commit" commands waiting for me to hit <enter>, a window with the commit messages I was going to use, a window with the advisory text waiting for me to type in the correction times, a shell window open to ftp-master.freebsd.org waiting for me to copy the patches into the right directory...

      When you have two weeks advance notice, it's easy to get advisories out soon after the embargo ends -- the hardest part of the process was making sure that I'd be awake at 8:00 AM (PST).

      --
      Tarsnap: Online backups for the truly paranoid
  2. No link to actual advisory in summary or article by doorbot.com · · Score: 5, Informative
    I believe this is the actual advisory:

    http://www.frsirt.com/english/advisories/2006/1049

    A critical vulnerability has been identified in Sendmail, which could be exploited by remote attackers or network worms to take complete control of an affected system. This flaw is due to errors in the "setjmp()", "longjmp()" and "sm_syslog()" functions that do not properly handle certain asynchronous signals, which could be exploited by remote unauthenticated attackers to execute arbitrary commands by sending specially crafted requests to the SMTP port.
  3. Re:Reality check: by Anonymous Coward · · Score: 5, Funny

    it's safer running the windows version of something?

    truly, it is the end times

  4. The inevitable 'use postfix!' post.... by Malor · · Score: 5, Informative

    Yes, I realize this is too late for those of you running Sendmail now, and please don't take this as criticism for using it.... it's a solid mail program. But it was written when the Net was a much nicer place, and it's proving, once again, that retrofitting security is either very difficult or impossible. For a long time, it seemed like practically every third exploit was for Sendmail... it got pretty frustrating.

    The two major alternatives are Qmail and Postfix; Courier is sort of an up-and-comer, but they've had quite a number of security holes in those packages. (of course, that may also be related to the fact that Courier does a lot more than just deliver mail.) Of the three, I prefer Postfix. It's exceedingly solid, very fast, and fairly easy to configure. The initial learning curve is a little steep (mostly because there's about a billion things you can set), but the config files are readable when you're done. You don't have to relearn the whole program every six months. It's also very secure... I'm only aware of two security problems in its entire history. (I don't remember the details, but I think one was minor, and the other was moderately serious.)

    QMail is also solid, fast, and secure. But the author has decided that Unix machines should be configured a particular way, with files in particular places, and he uses his code as a weapon to try to force you to do things the way he wants. So I won't run it unless I have to. I don't deny that he's a brilliant coder and forty-eight times smarter than I am, but I refuse to be dictated to.

    Postfix can take a beating.. it is Truly Great Software. It will handle any load that Sendmail will handle, it's easier to administer, and the security is better. And, of course, it's truly free... Wietse won't try to make your administration decisions for you.

    1. Re:The inevitable 'use postfix!' post.... by ajs · · Score: 5, Insightful

      There was a time when sendmail exploits were all the rage, but at the time, sendmail was one of a very, very small number of programs that had reached its level of maturity, breadth of features AND was network accessible, and was the only one in widespread use under Unix-like systems. Because of some high-profile bugs, many companies including Sun and later Red Hat did heavy security audits of the code, revealing and fixing more problems.

      These are all good things, and it seems to me to be a bit two-faced to say that the power of open source is that there are many eyes on the source, and then to punish the software with the most eyes on it. Sendmail has been the heart of mail on the Internet for decades, and deservedly will continue to do so for the forseeable future.

      These bugs demonstrate the old saying: where there is code, there are bugs. I'll stick with software that has already had the vast majority of its security problems shaken out.

  5. Re:Gee, Full Disclosure would be nice by LiquidCoooled · · Score: 5, Informative

    If you knew that you would be 99% of the way to solving the bug.
    As it happens, someone already posted a screenshot of the BSD version of the fix.

    A single line of c:

    t = 0;

    Inserted between lines 147 and 148 of file fflush.c appears to be the fix (reset a mem pointer just use above).
    I don't vouch for it and haven't even bothered to look at context or even if its the actual fix required, however its not like it was hidden and you don't need to get uppity about it.

    Incidentally, its such small code modifications that can bring great amounts of money to maintainers of corporate code that the monkeys don't understand what they are paying for.

    "But you only changed 1 line"
    "Yer, but that one line makes it work now...."

    --
    liqbase :: faster than paper
  6. IE and sendmail flaws on the same day? by MadFarmAnimalz · · Score: 5, Funny

    Coincidence? I think not...

    Shared codebase? Hmm?

    --
    Blearf. Blearf, I say.
  7. Re:Sendmail - now in its third decade of exploits by Radak · · Score: 5, Insightful

    Results 1 - 10 of about 18,000,000 for linux exploit.

    We've been struggling with Linux exploits since its birth, too. Shall we "drop the turkey" every time a new Linux exploit pops up, too, or should we acknowledge that it's a complicated piece of software whose security generally improves as it matures? I thought so.

    Oh, and just for good measure...

    Results 1 - 10 of about 203,000 for qmail exploit.
    Results 1 - 10 of about 283,000 for postfix exploit.

    I note that those queries generate about 1/3 and about 1/2 as many results, respectively, for products that have existed for about 1/10 as long as sendmail. By your ridiculously flawed "Google logic", qmail and postfix are far more dangerous "turkeys" than sendmail.