|---------+---------------------------->
| | "Harrod, William"|
| | <[EMAIL PROTECTED]|
| | e.com> |
| | |
| | 03/03/2003 02:17 |
| | PM |
| | |
|---------+---------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: "Harrod, William" <[EMAIL PROTECTED]>
|
| cc:
|
| Subject: TruSecure ALERT- TSA 03-002 - Sendmail Buffer Overflow -- ALERT
|
>------------------------------------------------------------------------------------------------------------------------------|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TruSecure ALERT- TSA 03-002 - Sendmail Buffer Overflow -- ALERT
Initial Assessment: Important
Date: February 14, 2003
Time: 2000 UTC
Current Assessment: RED HOT
Date: March 3, 2003
Time: 1700 UTC
On February 14th a TruSecure Radar posting indicated that we were
aware of a potential vulnerability in Sendmail. Today, a coordinated
announcement was made regarding a Sendmail header buffer overflow
vulnerability. It is expected that code exploiting this
vulnerability is already in circulation and attacks will be likely in
the near future.
Most installations of Unix include Sendmail by default and are
therefore probably vulnerable.
This may impact an organization's infrastructure because many
firewalls and content filtering products contain Sendmail.
It is recommended that customers who are using a firewall that
proxies mail, using Sendmail, implement packet filtering rules to
redirect mail through patched or non-Sendmail systems while
propagating fixes from their vendors.
RISK INDICIES:
Current Assessment: RED HOT
Threat: High - The vulnerability allows administrative access on an
exploited host. The exploit takes advantage of a fixed-sized buffer
used to process certain mail header fields, (To:, From:, CC:, Resent
From: and related comment fields.)
Vulnerability Prevalence: High - Sendmail is installed by default on
most Unix systems and this exploit may impact critical infrastructure
devices as well as numerous devices without mail functionality, but
with Sendmail installed.
TruSecure is aware that known malicious coders currently have exploit
code to work from. We expect simple exploits in the near term, and
more complex exploits including mail-based worms shortly thereafter.
Cost: High - This exploit may provide administrative access on
vulnerable systems, including infrastructure devices.
MITIGATIONS:
1. Re-routing mail from Sendmail devices to already patched
servers
or non-Sendmail systems while propagating patches.
2. Substitute other Message Transfer Agents for Sendmail in your
organization (Postfix, Qmail, Exim, Exchange...)
3. Patch vulnerable systems as quickly as possible. The
following
vendors have announced patch availability: Mandrake, SuSE, IBM,
FreeBSD, OpenBSD, SGI, Red Hat.
NOTES:
1. People using TruSecure Shadow Mail should be safe from this
attack
downstream.
2. There are reports that Sendmail servers downstream from
Patched
Sendmail systems may be protected from potential attacks.
