WARN: Critical Sendmail Vulnerability

justanothersteve · 03-22-2006, 09:06 PM

Sorry if this has been posted already, I came across this article and thought I'd help spread the word to updgrade.

http://news.com.com/Sendmail+flaw+op...3-6052758.html

Again, I apologize if this has been posted

gilead · 03-22-2006, 09:34 PM

I haven't seen it reported here (until now

) but the Sendmail mailing list notification of the availability of 8.13.6 is out and so is the Slackware Security mailing list's advisory for the new package.

Bugtraq also has notifications of updates for sendmail on FreeBSD and Suse (with others to follow I'm sure).

I only mention it as a plug for some sources of this kind of information...

Capt_Caveman · 03-22-2006, 09:42 PM

ISS has identified a race condition in Sendmail that allows a remote attacker to execute arbitrary code with the privileges of the Sendmail user, often root. All Sendmail users are advised to immediately upgrade to version 8.13.6+. Thanks to justanothersteve for reporting this vuln.

Additional links:
http://www.securityfocus.com/bid/17192/discuss
http://www.sendmail.com/company/advi....shtml#exploit

nx5000 · 03-23-2006, 02:33 AM

Maybe time to switch to postfix?

CrEsPo · 03-23-2006, 06:32 PM

Just found out about this, here's the CERT advisory.

simcox1 · 04-04-2006, 01:45 AM

Are these security advisories really that critical? Apparently this Sendmail problem doesn't have anything to do with normal sending/receiving email. It's to do with some very specific connection conditions.

nx5000 · 04-04-2006, 09:08 AM

No its not critical it has just been rated 8/10 .. Could be 9 or 10

Btw sendmail.org is the original sendmail homepage. The .com have some patches to sendmail.org code.

"It's to do with some very specific connection conditions."
Very specific doesn't mean it can't be achieved, It's never good to minimize.
There is a remotely critical exploitable bug that doesn't need authentication.
There is a patch, you have to apply it. Easy

Capt_Caveman · 04-04-2006, 11:44 PM

Quote:

Originally Posted by simcox1

Are these security advisories really that critical? Apparently this Sendmail problem doesn't have anything to do with normal sending/receiving email. It's to do with some very specific connection conditions.

There is already PoC code available for this. Given that you'd be executing arbitrary code as root, that's pretty bad in my book. Secunia lists this as "highly critical" though I've seen it as "high" too. I certainly wouldn't want to have a vulnerable version running when it goes from PoC to exploit in wild.

king111 · 04-09-2006, 10:36 AM

Sendmail vulnerabilities ... Where have I heard that before? And, uh, yeah, any vulnerability that could potentially allow an attacker to root you is pretty bad. Race conditions aren't as critical as some might think, but they're still bad and especially bad with a highly popular MTA like sendmail.

simcox1 · 04-09-2006, 03:25 PM

I know it's important to keep up to date etc, and apply patches, but I wonder how critical some of the updates are. Sometimes all you're doing is fixing a bug while installing a new one.

gbell72 · 05-09-2006, 04:16 PM

I agree with nx5000, if you care about security whatsoever switch to postfix, or any other MTA for that matter that doesn't have near as many CERT advisories as Sendmail does.

Unless you are absolutely confident you understand sendmail configuration and macros, do not put sendmail on an internet accessible server.