sendmail.org
Jon R. Doyle
Sendmail Inc.
6425 Christie Ave
Emeryville, Ca. 94608
(o_
(o_ (o_ //\
(/)_ (\)_ V_/_
On Tue, 4 Mar 2003, James Melin wrote:
> |---------+---------------------------->
> | | "Harrod, William"|
> | | <[EMAIL PROTECTED]|
> | | e.com> |
> | | |
> | | 03/03/2003 02:17 |
> | | PM |
> | | |
> |---------+---------------------------->
>
> >------------------------------------------------------------------------------------------------------------------------------|
> |
> |
> | To: "Harrod, William" <[EMAIL PROTECTED]>
> |
> | cc:
> |
> | Subject: TruSecure ALERT- TSA 03-002 - Sendmail Buffer Overflow -- ALERT
> |
>
> >------------------------------------------------------------------------------------------------------------------------------|
>
>
>
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> TruSecure ALERT- TSA 03-002 - Sendmail Buffer Overflow -- ALERT
>
> Initial Assessment: Important
> Date: February 14, 2003
> Time: 2000 UTC
> Current Assessment: RED HOT
> Date: March 3, 2003
> Time: 1700 UTC
>
> On February 14th a TruSecure Radar posting indicated that we were
> aware of a potential vulnerability in Sendmail. Today, a coordinated
> announcement was made regarding a Sendmail header buffer overflow
> vulnerability. It is expected that code exploiting this
> vulnerability is already in circulation and attacks will be likely in
> the near future.
>
> Most installations of Unix include Sendmail by default and are
> therefore probably vulnerable.
>
> This may impact an organization's infrastructure because many
> firewalls and content filtering products contain Sendmail.
>
> It is recommended that customers who are using a firewall that
> proxies mail, using Sendmail, implement packet filtering rules to
> redirect mail through patched or non-Sendmail systems while
> propagating fixes from their vendors.
>
>
> RISK INDICIES:
>
> Current Assessment: RED HOT
>
> Threat: High - The vulnerability allows administrative access on an
> exploited host. The exploit takes advantage of a fixed-sized buffer
> used to process certain mail header fields, (To:, From:, CC:, Resent
> From: and related comment fields.)
>
> Vulnerability Prevalence: High - Sendmail is installed by default on
> most Unix systems and this exploit may impact critical infrastructure
> devices as well as numerous devices without mail functionality, but
> with Sendmail installed.
>
> TruSecure is aware that known malicious coders currently have exploit
> code to work from. We expect simple exploits in the near term, and
> more complex exploits including mail-based worms shortly thereafter.
>
> Cost: High - This exploit may provide administrative access on
> vulnerable systems, including infrastructure devices.
>
> MITIGATIONS:
>
> 1. Re-routing mail from Sendmail devices to already patched
> servers
> or non-Sendmail systems while propagating patches.
>
> 2. Substitute other Message Transfer Agents for Sendmail in your
> organization (Postfix, Qmail, Exim, Exchange...)
>
> 3. Patch vulnerable systems as quickly as possible. The
> following
> vendors have announced patch availability: Mandrake, SuSE, IBM,
> FreeBSD, OpenBSD, SGI, Red Hat.
>
> NOTES:
> 1. People using TruSecure Shadow Mail should be safe from this
> attack
> downstream.
>
> 2. There are reports that Sendmail servers downstream from
> Patched
> Sendmail systems may be protected from potential attacks.
>
