sendmail.org Jon R. Doyle Sendmail Inc. 6425 Christie Ave Emeryville, Ca. 94608
(o_ (o_ (o_ //\ (/)_ (\)_ V_/_ On Tue, 4 Mar 2003, James Melin wrote: > |---------+----------------------------> > | | "Harrod, William"| > | | <[EMAIL PROTECTED]| > | | e.com> | > | | | > | | 03/03/2003 02:17 | > | | PM | > | | | > |---------+----------------------------> > > >------------------------------------------------------------------------------------------------------------------------------| > | > | > | To: "Harrod, William" <[EMAIL PROTECTED]> > | > | cc: > | > | Subject: TruSecure ALERT- TSA 03-002 - Sendmail Buffer Overflow -- ALERT > | > > >------------------------------------------------------------------------------------------------------------------------------| > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > TruSecure ALERT- TSA 03-002 - Sendmail Buffer Overflow -- ALERT > > Initial Assessment: Important > Date: February 14, 2003 > Time: 2000 UTC > Current Assessment: RED HOT > Date: March 3, 2003 > Time: 1700 UTC > > On February 14th a TruSecure Radar posting indicated that we were > aware of a potential vulnerability in Sendmail. Today, a coordinated > announcement was made regarding a Sendmail header buffer overflow > vulnerability. It is expected that code exploiting this > vulnerability is already in circulation and attacks will be likely in > the near future. > > Most installations of Unix include Sendmail by default and are > therefore probably vulnerable. > > This may impact an organization's infrastructure because many > firewalls and content filtering products contain Sendmail. > > It is recommended that customers who are using a firewall that > proxies mail, using Sendmail, implement packet filtering rules to > redirect mail through patched or non-Sendmail systems while > propagating fixes from their vendors. > > > RISK INDICIES: > > Current Assessment: RED HOT > > Threat: High - The vulnerability allows administrative access on an > exploited host. The exploit takes advantage of a fixed-sized buffer > used to process certain mail header fields, (To:, From:, CC:, Resent > From: and related comment fields.) > > Vulnerability Prevalence: High - Sendmail is installed by default on > most Unix systems and this exploit may impact critical infrastructure > devices as well as numerous devices without mail functionality, but > with Sendmail installed. > > TruSecure is aware that known malicious coders currently have exploit > code to work from. We expect simple exploits in the near term, and > more complex exploits including mail-based worms shortly thereafter. > > Cost: High - This exploit may provide administrative access on > vulnerable systems, including infrastructure devices. > > MITIGATIONS: > > 1. Re-routing mail from Sendmail devices to already patched > servers > or non-Sendmail systems while propagating patches. > > 2. Substitute other Message Transfer Agents for Sendmail in your > organization (Postfix, Qmail, Exim, Exchange...) > > 3. Patch vulnerable systems as quickly as possible. The > following > vendors have announced patch availability: Mandrake, SuSE, IBM, > FreeBSD, OpenBSD, SGI, Red Hat. > > NOTES: > 1. People using TruSecure Shadow Mail should be safe from this > attack > downstream. > > 2. There are reports that Sendmail servers downstream from > Patched > Sendmail systems may be protected from potential attacks. >