lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <6.0.3.0.2.20060322121432.07725d50@127.0.0.1>
Date: Wed, 22 Mar 2006 12:24:34 -0500
From: Marc Bejarano <bugtraq@...j.org>
To: bugtraq@...urityfocus.com
Subject: sendmail vuln advisories (CVE-2006-0058)


the official advisory from http://www.sendmail.com/company/advisory/
===
Sendmail MTA Security Vulnerability

March 22, 2006

I. Overview

Sendmail, Inc. has recently become aware of a security vulnerability in 
certain versions of sendmail Mail Transfer Agent (MTA) and UNIX and Linux 
products that contain it.  Sendmail was notified by security researchers at 
ISS that, under some specific timing conditions, this vulnerability may 
permit a specifically crafted attack to take over the sendmail MTA process, 
allowing remote attackers to execute commands and run arbitrary programs on 
the system running the MTA, affecting email delivery, or tampering with 
other programs and data on this system.  This vulnerability is being 
tracked as CVE-2006-0058 and can be found at 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058.

Sendmail is not aware of any public exploit code for this 
vulnerability.  This connection-oriented vulnerability does not occur in 
the normal course of sending and receiving email.  It is only triggered 
when specific conditions are created through SMTP connection layer commands.

Sendmail has confirmed the technical issue exposing this vulnerability and 
is providing patches that resolve it in our open source and commercial 
products.  Sendmail has also alerted CERT® Coordination Center (CERT/CC), 
who has notified US-CERT.
In close coordination with CERT/CC and Internet Security Systems (ISS), 
Sendmail has taken the following actions:

          1. Implemented  and certified software patches for open source 
sendmail MTA versions 8.12 and 8.13
          2. Implemented  and certified software patches/upgrades for 
impacted commercial Sendmail products
          3. Worked with ISS to validate the developed patches and assure 
their effectiveness
          4. Collaborated with CERT/CC to notify and provide other vendors 
who use the sendmail MTA with the required source code patches

II. Impact

Within certain operating system architectures, a remote attacker may be 
able to force certain timing conditions that would allow execution of 
arbitrary code or commands on a vulnerable system. Systems running an MTA 
are typically deployed in the DMZ as a gateway for delivering inbound and 
outbound email, though they may also be used for internal email delivery 
between systems or applications.  In the case of a compromised system, an 
attack could lead to exposure, deletion, or modification of programs and 
data on the affected system, interference with or interception of email 
delivery, and potentially unauthorized access to other systems in the 
network.  Systems running any of the following software are considered 
vulnerable:
Open Source

          1. Sendmail 8.13.5 and earlier versions

Sendmail Commercial Products

          1. Sendmail Switch, Managed MTA, and Multi-Switch v 3.1.7 and 
earlier for Solaris, Linux, AIX, and HP-UX
          2. Sendmail Sentrion 1.1 Appliance
          3. Sendmail Advanced Message Server and Message Store v 2.2 and 
earlier for Solaris, Linux, AIX, and HP-UX
          4. Intelligent Quarantine 3.0 for Solaris and Linux

3rd Party Products Containing the MTA

Sendmail working with CERT/CC has notified affected vendors and provided 
them with source code patches to sendmail MTA 8.12 and 8.13 for use in 
their affected products.  CERT/CC will publish specific vendor information 
on the availability of customer patches.
III. Mitigation and Solution
Mitigation - Enable the RunAsUser option

The impact of this vulnerability can be reduced by setting the RunAsUser 
option in the configuration file.  Details are available in Sendmail’s 
Knowledgebase article S10621 at 
https://www.sendmail.com/cfusion/CFIDE/kb_doc.cfm?kb_id=S10621 or in this 
PDF document http://www.sendmail.com/company/advisory/runasuser.pdf. It is 
a good security practice to limit the privileges of applications and 
services whenever possible.  Setting the RunAsUser option will limit 
privileges available to a remote attacker to those of a non-root user.
Solution – Upgrade or Apply a Patch

On March 22, 2006, Sendmail has released to all customers patches/upgrades 
to the current version of the affected products.  Customers with versions 
of the product that are not supported will be provided with an upgrade to 
the most current version of the software and the related patch.  Sendmail 
is also notifying customers without support of a special opportunity to 
renew their support agreement.
The following table summarizes recommended actions by product version and 
platform.

<see original advisory for table>

Customers with current support agreements can review Knowledgebase entries 
posted for all of the above products at 
http://www.sendmail.com/customerlogin/. With any additional questions, 
please contact Sendmail Technical Support by logging a case 
online.  Customers without login to Knowledgebase can review this 
information at http://www.sendmail.com/support/.

Customers without current support agreements are advised of the following 
special support opportunities:

    1. For customers who re-instate lapsed support agreements by April 
28th, 2006 by purchasing current product version and one year support, 
Sendmail will waive the re-instatement fee normally charged for lapsed time.

Customers re-instating their support are entitled to future product 
upgrades, including Switch/Multiswitch 3.2 (planned for availability in 
April 2006) with the following enhancements:

    1. Integration of sendmail MTA 8.13 with support for a number of new 
threat protection and management features
    2. Flow Control reporting and monitoring integrated in Switch UI for 
individual systems or the entire cluster
    3. Asynchronous deployment and monitoring across all cluster members, 
enabling these activities to run in parallel
    4. DKIM signing of outgoing email and DK/DKIM validation of incoming 
email, enabling classification of validly signed, forged, or unsigned 
messages to reduce the risk of phishing and spoofing
    5. Customers may request a limited technical support option for 
assistance with upgrading to Switch 3.1 product version.  This email-only 
support option is available free of charge until April 28th, 2006 and for a 
one time charge of $949.00 thereafter.

To take advantage of these limited time support opportunities, please 
contact Sendmail by phone (see numbers below) or by email to 
customerservice@...dmail.com to request one of these options.

Phone contact information:
<see original advisory for table>	

* If this is your first time accessing Sendmail's support system since 
February 6th, 2006, you will need to set up a new password.  Please follow 
these steps:

    1. Visit https://www.sendmail.com/cfusion/CFIDE/nupw.cfm
    2. Enter your email address and select the "Submit" button.
    3. An email message containing a temporary password will be sent to 
your email address.  Follow the instructions in that message to create a 
permanent password.


IV. FAQ

How was this issue discovered?

Sendmail was recently notified by security researchers at ISS that they 
discovered certain timing conditions that may permit a specifically crafted 
attack to take over the sendmail MTA process.
How difficult would it be for someone to exploit this theoretical 
vulnerability?

This requires creating very specific timing conditions using SMTP 
connection layer commands and delivering specific email payload.  Someone 
with specific network programming skills would be required to create a 
successful exploit.
Has anyone been impacted by this?

No, this is a theoretical vulnerability that does not occur during the 
normal course of sending and receiving email.  Sendmail is not aware of any 
public exploits for this issue on the Internet.
What should a user look for to know if they have been impacted?

There are no known exploits with specific trails that a user could look for 
at this time.
What could happen if someone does exploit this?

In theory, the attacker may gain the privileges of the sendmail process 
running on a system and run arbitrary commands and code, subject to those 
privileges.   This could allow someone to interfere with email delivery, 
tamper with other programs and data on the systems, or try to gain access 
to other systems on the same network.
Are sendmail MTAs behind my firewall vulnerable?

Most vulnerable MTAs are the ones that are directly accessible to the 
outside world.  These are gateway MTAs that are directly connected to the 
Internet or are behind a firewall that allows port 25 traffic to pass 
through.  These servers should be patched first.  An MTA deployed on an 
internal network is not vulnerable to an outside attack, but could be 
affected by an attack launched from the internal network.
Is this a recently introduced problem, or has it been present for some time?

This problem has been present for some time, and it has only recently been 
discovered through some very specific conditions created in the lab.
Has Sendmail had similar security issues in the past?

Previous to this issue Sendmail had a few issues raised in 2003, which 
where quickly addressed.  Although this type of occurrence is not uncommon 
in the industry, Sendmail has established procedures to quickly and 
pro-actively respond to security issues. ISS has complimented Sendmail for 
our quick and comprehensive response, welcoming our efforts to not only 
resolve the reported issue, but to deploy additional resources to review 
and update any related code.
What are you doing to notify affected users?

Sendmail has worked with CERT/CC to manage the communications process for 
affected vendors, whose products may be based on the sendmail MTA 
software.  We are also notifying the open source community and our 
commercial customers about this issue and immediate availability of patches 
and upgrades to correct it.
What should users do until they can install the patches?

Users of sendmail MTA should ensure that they use the RunAsUser 
configuration option in their environment to reduce the scope of privileges 
available to the sendmail process.   While this doesn’t close the 
vulnerability, it reduces the impact of any potential exploitation.
What should the users do to request the patches?

Sendmail is notifying our commercial customers about the patches for 
specific product releases and platforms and providing the information on 
how to download and obtain these patches or upgrades.
Open source users can get patches from ftp://ftp.sendmail.org/pub/sendmail/ 
and should also subscribe to sendmail-announce mailing list for any other 
updates by sending mail to sendmail-announce-request@...ts.sendmail.org.
What about 3rd party vendors using the sendmail MTA?

Sendmail has worked with CERT/CC to notify the vendors and provide source 
code patches.  Please monitor CERT/CC vulnerabilities page at 
http://www.cert.org/nav/index_red.html for updates on patch availability 
from other vendors.
What versions of the Open Source sendmail MTA are affected?

Versions of the MTA prior to 8.13.5 are affected by this issue.  Open 
source patches are available for 8.12 and 8.13 versions as 8.12.11.20060308 
and 8.13.6. The Sendmail Consortium strongly suggests that users upgrade to 
8.13.6. Please refer to http://www.sendmail.org/8.13.6.html for more details.
How important is this issue, how quickly should I plan to upgrade?

Sendmail’s threat assessment of this issue is Risk: Medium; Impact: 
High.  Sendmail recommends that customers plan to upgrade their externally 
accessible MTAs as part of their regularly scheduled maintenance, followed 
by upgrade to any internal MTAs at a convenient time.
Is this issue related to the recent OpenSSL security advisory?

No, this vulnerability is not related to OpenSSL advisory CAN-2005-2969 
(Potential SSL 2.0 Rollback).  However, the Switch 3.1.8 cumulative patch 
also provides an upgrade to OpenSSL that addresses the issue documented in 
that advisory.
What are all the new changes included in the 3.1.8 patch?

This patch is cumulative to Switch 3.1.7 patch, and includes the following:

          1. Changes to the sendmail MTA binary to resolve this vulnerability
          2. A few additional MTA fixes to resolve customer issues
          3. Upgrade of 3rd party packages, including:
                1. OpenSSL is upgraded to version 0.9.6m and includes a fix 
for CAN-2005-2969 (Potential SSL 2.0 Rollback).
                2. Apache is upgraded to version 1.3.34.
                3. Mod SSL upgraded to 2.8.25-1.3.34.

How can I verify this is a legitimate security advisory?

Customers can contact Sendmail Technical Support as listed on 
http://www.sendmail.com/support/contact/ to verify the authenticity of this 
advisory.  The email notification sent to Sendmail customers is signed with 
PGP, using Sendmail, Inc. Security Officer PGP key, available at: 
http://www.sendmail.com/security/security-officer.asc. In addition, a PGP 
signed copy is available for download at: 
http://www.sendmail.com/company/advisory/index.shtml, signed with the same key.
===

the advisory from the discoverers from 
http://xforce.iss.net/xforce/alerts/id/216
===
Internet Security Systems Protection Advisory
March 22, 2006

Sendmail Remote Signal Handling Vulnerability

Summary:

ISS has shipped protection for a flaw X-Force has discovered in
the Sendmail server software. By sending malicious data at certain
time intervals, it is possible for a remote attacker to corrupt arbitrary
stack memory and gain control of the affected host.

ISS Protection Strategy:

ISS has provided preemptive protection for these vulnerabilities. We
recommend that all customers apply applicable ISS product updates.

Network Sensor 7.0 and Proventia A:
XPU 24.29 / 2/14/06
SMTP_Timeout_Bo

Proventia G100/G200/G1000/G1200 prior to Firmware Version 1.2:
XPU 24.29 / 2/14/06
SMTP_Timeout_Bo

Proventia G100/G200/G1000/G1200/G400/G2000 Firmware Version 1.2 or
later:
XPU 1.68 / 2/14/06
SMTP_Timeout_Bo

Proventia M:
XPU 1.68 / 2/14/06
SMTP_Timeout_Bo

Server Sensor 7.0:
Buffer Overflow Exploit Protection (BOEP)
XPU 24.29 / 2/14/06
SMTP_Timeout_Bo

Proventia Server:
Buffer Overflow Exploit Protection (BOEP)
Version 1.0.914.300 / 2/14/06
SMTP_Timeout_Bo

Proventia Desktop:
Buffer Overflow Exploit Protection (BOEP)
Version 8.0.675.1200 / 2/14/06
SMTP_Timeout_Bo

RealSecure Desktop 7.0:
Version EOZ / 2/14/06
SMTP_Timeout_Bo

BlackICE Agent for Server 3.6:
Version EOZ / 2/14/06
SMTP_Timeout_Bo

BlackICE PC Protection 3.6:
Version COZ / 2/14/06
SMTP_Timeout_Bo

BlackICE Server Protection 3.6:
Version COZ / 2/14/06
SMTP_Timeout_Bo

These updates are now available from the ISS Download Center at:
http://www.iss.net/download.

Business Impact:

Compromise of networks and machines using affected versions of Sendmail
may lead to exposure of confidential information, loss of productivity,
and further network compromise. An attacker does not need to entice any
kind of user interaction to trigger this vulnerability.
Successful exploitation would grant an attacker the privileges that the
sendmail server daemon is running with.

Affected Products:

Sendmail 8.13.X – all versions

Note: SendmailX is NOT affected by this vulnerability.

Description:

Sendmail is a popular SMTP server daemon used on mail gateways and
forwarders to route and deliver email. It is primarily used in
UNIX server environments, although versions exist for Windows as well.

Sendmail contains a signal race vulnerability when receiving and
processing mail data from remote clients. Sendmail utilizes a signal
handler for dealing with timeouts that is not async-safe and interruption
of certain functions by this signal handler will cause static data
elements to be left in an inconsistent state. These data elements can be
used to write data to invalid parts of the stack (or heap in some
scenarios), thus taking control of the vulnerable process.

In order to exploit this vulnerability, an attacker simply needs to be
able to connect to sendmail SMTP server. This is a multi-shot exploit,
meaning the attacker can attempt to exploit it an indefinite amount
of times, since sendmail spawns a new process for each connected
client.

The ISS X-Press Updates detailed above have the ability to protect
against attack attempts targeted at Sendmail.

Additional Information:

Sendmail Security Bulletin:
http://www.sendmail.org/8.13.6.html

Credit:

This vulnerability was discovered and researched by Mark Dowd of the ISS 
X-Force.

______

About Internet Security Systems, Inc.
Internet Security Systems, Inc. (ISS) is the trusted security advisor
to thousands of the world’s leading businesses and governments,
providing preemptive protection for networks, desktops and
servers. An established leader in security since 1994, ISS’
integrated security platform automatically protects against both
known and unknown threats, keeping networks up and running and
shielding customers from online attacks before they impact business
assets. ISS products and services are based on the proactive
security intelligence of its X-Force® research and development
team – the unequivocal world authority in vulnerability
and threat research. ISS’ product line is also complemented
by comprehensive Managed Security Services. For more information,
visit the Internet Security Systems Web site at www.iss.net
or call 800-776-2362.
===



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ