RealTime IT News

Sendmail, Beware

The Sendmail Consortium has released version 8.12.8 of its popular open-source Message Transfer Agent (MTA) to plug a "critical security problem" in header parsing which was discovered by the Internet Security Systems' X-Force unit.

Previous versions of Sendmail, which handles between up to 75 percent of all Internet e-mail traffic, contain a buffer overflow flaw that could give an attacker 'root' or superuser access. All versions of Sendmail from 5.79 to 8.12.7 were found to be vulnerable.

The CERT Coordination Center (CERT/CC) issued a security alert Monday, warning that "most medium-sized to large organizations are likely to have at least one vulnerable sendmail server."

Because Sendmail and all other e-mail servers are typically exposed to the Internet in order to send and receive Web e-mail, the Center warned that vulnerable servers cannot be protected by firewalls or packet filters. The Sendmail security hole is especially dangerous, CERT cautioned, because an exploit can be launched via e-mail and an intruder does not need specific knowledge of a target to launch a successful attack.

Researchers found the vulnerability to be message-oriented, as opposed to connection-oriented, which means it is triggered by the content of a "specially-crafted email message rather than by lower-level network traffic."

"This is important because an MTA that does not contain the vulnerability will pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable Sendmail servers on the interior of a network are still at risk, even if the site's border MTA uses software other than Sendmail," CERT/CC warned.

In urging Sendmail users to immediately apply patches (available for download here, the Center said the security flaw was likely to draw "significant attention from the intruder community," which increases the probability of a public exploit.

There is no known workaround for the Sendmail vulnerability. Until a patch can be applied, CERT/CC urged users to set the RunAsUser option to reduce the impact of the flaw.