LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-15-2003, 09:00 PM   #1
odious1
Member
 
Registered: Jun 2003
Location: Virginia, USA
Distribution: Slackware
Posts: 252

Rep: Reputation: 30
sendmail vulnerabilities


I have updated my sendmail to rh version 8.11.6-27-72 whic is their lates release. Tis was supposed to correct some security issues with my previous version 8.11.6-3. The rpm -F updated the package and created new access, sendmail.mc and .cf files. I restarted the daemon but my portscan shows the same problems that shoud have been addressed by patches for rh advisory RHSA-2003:073-06. Is there something else I should have done or do I need to download the latest source.

Hope this is the right place for this post.

Thanks
 
Old 11-15-2003, 09:37 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,715
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
I restarted the daemon but my portscan shows the same problems that shoud have been addressed by patches for rh advisory RHSA-2003:073-06.
RHSA-2003:073-06 addresses one message-based buffer overflow vulnerability and one smrsh parsing vulnerability. A portscan is not the way to test for this.
 
Old 11-15-2003, 09:39 PM   #3
Aurix
LQ Newbie
 
Registered: May 2002
Location: QLD, Australia
Distribution: Debian/Redhat
Posts: 14

Rep: Reputation: 0
Quote:
I restarted the daemon but my portscan shows the same problems that shoud have been addressed by patches
What do you mean your portscan?

If you don't need sendmail to be running (ie, you don't need your system to be accepting connections for a domain to pass on to local users), stop it from running altogether:
chkconfig --level 2345 sendmail off

Then you won't have to worry about keeping sendmail up to date.

Cheers.
 
Old 11-17-2003, 12:11 AM   #4
odious1
Member
 
Registered: Jun 2003
Location: Virginia, USA
Distribution: Slackware
Posts: 252

Original Poster
Rep: Reputation: 30
I need to keep this service running as it is my mail server. Let me clarify on ry reference to port scan. I use a company called Qualys which compiles vulnerabilites and when I run the scan it detects any based on the services I am running. In theory if I installed every patch available I would address the problems the scan detects but that is the advantage for me with this service is its identifies the vulnerability and even recomends the solution or workaround whic saves me a lot of time. Well the rh patch is supposed to fix this problem but it did not unless I did somethig wrong.

I will paste the relevant section of my scan report.

QID:74135 Category:Mail services CVE ID:CAN-2002-1337
First Detected:11/15/2003 at 20:28:47 Last Detected:11/15/2003 at 20:28:47 Times Detected:1
DESCRIPTION:
Sendmail is a widely used MTA for Unix and Microsoft Windows systems.
A remotely exploitable vulnerability has been discovered in Sendmail. The vulnerability is due to a buffer overflow condition in the SMTP header parsing component. Remote attackers may exploit this vulnerability by connecting to target SMTP servers and transmitting malformed SMTP data to them.

The overflow condition occurs when Sendmail processes incoming e-mail messages with multiple addresses in a field such as "From:" or "CC:". One of the checks to ensure that the addresses are valid is flawed, resulting in a buffer overflow condition.

Sendmail Versions 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to Version 8.12.8 or apply available patches to prior versions of the 8.x tree.

CONSEQUENCES:
This vulnerability may be exploited to gain root privileges on affected servers remotely.
SOLUTION:
RedHat released a security advisory (RHSA-2003:073-06) containing fixes. Upgrade as soon as possible.
SGI released a security advisory (20030301-01-P) containing fixes. Users of IRIX 6.5.15 and later are urged to apply the appropriate patches. Users of IRIX 6.5.14 and earlier should upgrade their installations to IRIX 6.5.20.

Sendmail in OpenBSD-current has been upgraded to Version 8.12.8. Patches have also been released for OpenBSD Versions 3.2 and 3.1. Apply patches or upgrade.

Thanks for the help on this
 
Old 11-17-2003, 09:20 AM   #5
Aurix
LQ Newbie
 
Registered: May 2002
Location: QLD, Australia
Distribution: Debian/Redhat
Posts: 14

Rep: Reputation: 0
Check if you have the patched version by: rpm -qi sendmail

If you have the latest version, you should be ok.

I don't think this is necessary, but just in case:
/etc/rc.d/init.d/sendmail restart

If not, grab the latest sendmail rpm from updates.redhat.com =)

Cheers.
 
Old 11-17-2003, 10:06 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,715
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
...then check the sendmail.cf or nc/telnet to your SMTP port and check out the version number it identifies itself with. If it doesn't, type "help".
If it is the latest, patched version, then check out your sendmail.mc for "confSMTP_LOGIN_MSG" or sendmail.cf for a line starting with "O SmtpGreetingMessage". If it sez "De$j Sendmail $v/$Z ready at $b", then you could replace it with a generic "$j Mailer; $b", restart Sendmail and do another Qualys scan. If it doesn't find your MTA vulnerable, OK, if it does then I hope you did a free scan.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
WARN: Firefox Vulnerabilities Capt_Caveman Linux - Security 6 05-17-2005 01:59 AM
IE Vulnerabilities, why not in other browsers? mandrakemikael Linux - Security 3 09-28-2004 12:43 PM
WARN: Kerberos Vulnerabilities Capt_Caveman Linux - Security 0 09-01-2004 09:53 PM
SSH Vulnerabilities and OpenSSH mikeyt_333 Linux - Security 3 01-10-2003 12:15 AM
More BIND vulnerabilities jeremy Linux - Security 0 01-31-2001 09:29 PM


All times are GMT -5. The time now is 05:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration