A new buffer overflow flaw has been detected in popular e-mail transfer application Sendmail that could allow an attacker to run any code he or she chooses, according to CERT/CC.
The security advisory group said the vulnerability affects systems running open-source Sendmail versions before 8.12.10, including both UNIX and Linux systems, as well as such commercial releases of Sendmail as Sendmail Switch, Sendmail Advanced Message Server (SAMS), and Sendmail for NT. The weakness offers a malicious user to tap the application’s daemon, particularly it’s root.
The vulnerability lies in Sendmail’s address parsing code. An error in the pre-scan function could allow an attacker to write past the end of a buffer, corrupting memory structures. The attacker may then be able to execute arbitrary code with an e-mail message.
CERT Internet security analyst Art Manion told internetnews.com the bug is severe because of the degree to which widespread degree in which Sendmail is used in vendors’ Unix and Linux infrastructure.
It actually mirrors a similar flaw CERT said this flaw is different from one discovered in March because this point of attack starts with the “contents of a specially crafted email message rather than by lower-level network traffic.”
“This is different from that flaw, but they are very, very similar in what they do,” Manion said. “They both attack via an e-mail message sent to a vulnerable server. It’s the same function and the same source code. This new flaw affects a higher layer within the e-mail message.”
Manion said this particular flaw busts through the firewall undetected. In some respects, Manion said, it resembles an e-mail virus because the exploit lies in the e-mail message.
“Sendmail is widely depolyed,” said the analyst. “This is definitely a big concern of ours.”
Why does it matter that point of attack for the newly-discovered flaw lies in the message, not in the connection? Manion said this is important because an e-mail transfer agent that does not host the vulnerability may pass the malicious message along to other transfer agents that may be protected at the network level, which means vulnerable Sendmail servers on the network are still at risk, even if the site’s border transfer agent uses different software to send messages.
CERT is advising Sendmail users who rely on the aforementioned systems, be they Unix or Linux, upgrade to a new version of Sendmail ( 8.12.10) or apply a patch for Sendmail versions 8.9.x through 8.12.9. In the meantime, the group recommends that users set the RunAsUser option to reduce the impact of this vulnerability.
Vendors or groups who incorporate Sendmail are addressing the issue with patches. They include Debian, F5 Networks, IBM, NetBSD, Red Hat, The Sendmail Consortium, Sun Microsystems, SuSE.
Senmail has a history of flaws. Previous versions of Sendmail, which handles between up to 75 percent of all Internet e-mail traffic, contain a buffer overflow flaw that could give an attacker ‘root’ or super-user access.