Sendmail, Beware

The Sendmail Consortium has released
version 8.12.8 of its popular open-source Message Transfer Agent (MTA) to
plug a “critical security problem” in header parsing which was discovered by
the Internet Security Systems’ X-Force unit.

Previous versions of Sendmail, which handles between up to 75 percent of
all Internet e-mail traffic, contain a buffer overflow flaw that could give
an attacker ‘root’ or superuser access. All versions of Sendmail from 5.79
to 8.12.7 were found to be vulnerable.

The CERT Coordination Center (CERT/CC) issued a security alert
Monday, warning that “most medium-sized to large organizations are likely to
have at least one vulnerable sendmail server.”

Because Sendmail and all other e-mail servers are typically exposed to
the Internet in order to send and receive Web e-mail, the Center warned that
vulnerable servers cannot be protected by firewalls or packet filters. The
Sendmail security hole is especially dangerous, CERT cautioned, because an
exploit can be launched via e-mail and an intruder does not need specific
knowledge of a target to launch a successful attack.

Researchers found the vulnerability to be message-oriented, as opposed to
connection-oriented, which means it is triggered by the content of a
“specially-crafted email message rather than by lower-level network

“This is important because an MTA that does not contain the vulnerability
will pass the malicious message along to other MTAs that may be protected at
the network level. In other words, vulnerable Sendmail servers on the
interior of a network are still at risk, even if the site’s border MTA uses
software other than Sendmail,” CERT/CC warned.

In urging Sendmail users to immediately apply patches (available for download here, the Center said
the security flaw was likely to draw “significant attention from the intruder
community,” which increases the probability of a public exploit.

There is no known workaround for the Sendmail vulnerability. Until a
patch can be applied, CERT/CC urged users to set the RunAsUser option
to reduce the impact of the flaw.

News Around the Web