[SECURITY-L] [cais em cais.rnp.br: CAIS-Alerta: Remote Buffer Overflow in Sendmail]

Qui Abr 3 09:28:04 -03 2003

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta:  Remote Buffer Overflow in Sendmail
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Sat, 29 Mar 2003 18:46:28 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----

Prezados,

O CAIS esta´ repassando o alerta divulgado hoje pelo CERT/CC, "CERT
Advisory CA-2003-12 Remote Buffer Overflow in Sendmail", a respeito de uma
vulnerabilidade do tipo ´buffer overflow´ no Sendmail. Tal vulnerabilidade
permitiria ser explorada remotamente por um atacante, permitindo-lhe
acesso privilegiado ao sistema -basicamente, acesso de "root" ou de super
usuário- ou causar um ataque do tipo negacao de servico (DoS).

*** Ressalta-se que esta vulnerabilidade e´ diferente à reportada pelo
    CAIS no dia 03/03/2003, acessivel atraves da seguinte URL:

	  http://www.rnp.br/cais/alertas/2003/CA200307.html     ***

Muito provavelmente o Sendmail seja o MTA (Mail Transfer Agent) de maior
uso na Internet (tem sido documentado que entre 50 a 75% dos servidores de
e-mail). Se a isto soma-se o fato que por seu carater publico estes
servidores encontram-se altamente expostos e totalmente impedidos de algum
tipo de protecao por firewalls e/ou filtros de pacotes, o impacto da
exploracao desta vulnerabilidade se torna ainda maior.

Foi reportado tambem que foi possivel implementar um ataque DoS em
laboratorio, assim, o CAIS recomenda fortemente aos administradores que
atualizem os seus sistemas **com urgencia**, devido `a gravidade do
problema notificado.

* Sistemas afetados:

. Sistemas Unix e Linux rodando a versao publica do software Sendmail
  (versoes anteriores a 8.12.9)
. Sendmail Pro (todas as versoes)
. Sendmail Switch 2.1 - versoes anteriores a 2.1.6
. Sendmail Switch 2.2 - versoes anteriores a 2.2.6
. Sendmail Switch 3.0 - versoes anteriores a 3.0.4
. Sendmail para NT 2.X - versoes anteriores a 2.6.3
. Sendmail para NT 3.0 - versoes anteriores a 3.0.4

* Correcoes disponiveis:

Recomenda-se fazer a atualizacao para a versao 8.12.9, disponivel em:

	http://www.sendmail.org/8.12.9.html

Caso esteja utilizando alguma das seguintes versoes: 8.9.x, 8.10.x, 8.11.x
ou 8.12.[1-8], existe a alternativa de se aplicar a correcao ("patch")
respectiva. Tais correcoes podem ser obtidas acessando a seguinte URL:

	http://www.sendmail.org/patchps.html

Para aqueles que usem versoes de Sendmail comerciais, recomenda-se
contatar o seu respectivo fornecedor a fim de providenciar uma correcao.

Caso voce nao tenha condicoes de fazer a atualizacao ou aplicar o patch
*imediatamente*, uma forma de reduzir o impacto da vulnerabilidade e´
habilitar a opcao "RunAsUser". De um modo geral, quando possivel, e´
altamente recomendado limitar os privilegios de uma aplicacao ou servico.

* Maiores informacoes:

	http://www.cert.org/advisories/CA-2003-12.html
	http://www.sendmail.org
	http://www.sendmail.org/8.12.9.html
	http://www.sendmail.com/security
	http://www.kb.cert.org/vuls/id/897604

* Identificador CVE:

O projeto CVE (http://cve.mitre.org), que padroniza nomes para problemas
de seguranca, designou o nome CAN-2003-0161 para esta vulnerabilidade.

Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

CERT Advisory CA-2003-12 Buffer Overflow in Sendmail

   Original release date: March 29, 2003
   Last revised:
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Sendmail Pro (all versions)
     * Sendmail Switch 2.1 prior to 2.1.6
     * Sendmail Switch 2.2 prior to 2.2.6
     * Sendmail Switch 3.0 prior to 3.0.4
     * Sendmail for NT 2.X prior to 2.6.3
     * Sendmail for NT 3.0 prior to 3.0.4
     * Systems  running  open-source  sendmail  versions prior to 8.12.9,
       including UNIX and Linux systems

Overview

   There  is a vulnerability in sendmail that can be exploited to cause a
   denial-of-service  condition  and  could  allow  a  remote attacker to
   execute  arbitrary  code  with  the privileges of the sendmail daemon,
   typically root.

I. Description

   There  is  a remotely exploitable vulnerability in sendmail that could
   allow  an  attacker  to  gain control of a vulnerable sendmail server.
   Address  parsing code in sendmail does not adequately check the length
   of  email addresses. An email message with a specially crafted address
   could  trigger  a stack overflow. This vulnerability was discovered by
   Michal Zalewski.

   This vulnerability is different than the one described in CA-2003-07.

   Most  organizations  have  a variety of mail transfer agents (MTAs) at
   various  locations  within their network, with at least one exposed to
   the   Internet.   Since   sendmail  is  the  most  popular  MTA,  most
   medium-sized  to  large  organizations are likely to have at least one
   vulnerable   sendmail   server.  In  addition,  many  UNIX  and  Linux
   workstations  provide  a  sendmail  implementation that is enabled and
   running by default.

   This    vulnerability    is    message-oriented    as    opposed    to
   connection-oriented. That means that the vulnerability is triggered by
   the  contents  of  a  specially-crafted  email  message rather than by
   lower-level  network  traffic.  This  is important because an MTA that
   does  not  contain  the  vulnerability will pass the malicious message
   along  to  other  MTAs  that may be protected at the network level. In
   other  words, vulnerable sendmail servers on the interior of a network
   are  still  at risk, even if the site's border MTA uses software other
   than sendmail. Also, messages capable of exploiting this vulnerability
   may pass undetected through many common packet filters or firewalls.

   This   vulnerability  has  been  successfully  exploited  to  cause  a
   denial-of-service   condition  in  a  laboratory  environment.  It  is
   possible that this vulnerability could be used to execute code on some
   vulnerable systems.

   The CERT/CC is tracking this issue as VU#897604. This reference number
   corresponds to CVE candidate CAN-2003-0161.

   For more information, please see

          http://www.sendmail.org
          http://www.sendmail.org/8.12.9.html
          http://www.sendmail.com/security/

   For  the  latest  information  about this vulnerability, including the
   most recent vendor information, please see

          http://www.kb.cert.org/vuls/id/897604

   This vulnerability is distinct from VU#398025.

II. Impact

   Successful   exploitation   of   this   vulnerability   may   cause  a
   denial-of-service   condition   or  allow  an  attacker  to  gain  the
   privileges  of  the  sendmail  daemon, typically root. Even vulnerable
   sendmail  servers  on  the  interior of a given network may be at risk
   since  the  vulnerability  is triggered by the contents of a malicious
   email message.

III. Solution

Apply a patch from Sendmail, Inc.

   Sendmail  has produced patches for versions 8.9, 8.10, 8.11, and 8.12.
   However,  the  vulnerability  also  exists  in earlier versions of the
   code;  therefore,  site  administrators  using  an earlier version are
   encouraged  to upgrade to 8.12.9. These patches, and a signature file,
   are located at

          ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu
          ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu.asc

Apply a patch from your vendor

   Many  vendors  include  vulnerable  sendmail  servers as part of their
   software distributions. We have notified vendors of this vulnerability
   and  recorded  the  statements  they  provided  in  Appendix A of this
   advisory.  The  most  recent  vendor  information  can be found in the
   systems affected section of VU#897604.

Enable the RunAsUser option

   There is no known workaround for this vulnerability. Until a patch can
   be  applied,  you  may  wish to set the RunAsUser option to reduce the
   impact  of this vulnerability. As a good general practice, the CERT/CC
   recommends  limiting  the  privileges  of  an  application  or service
   whenever possible.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

Red Hat Inc.

   Red  Hat  distributes  sendmail in all Red Hat Linux distributions. We
   are  currently [Mar29] working on producing errata packages to correct
   this  issue,  when  complete  these  will  be available along with our
   advisory  at  the  URL  below.  At  the same time users of the Red Hat
   Network will be able to update their systems using the 'up2date' tool.

   Red Hat Linux:

          http://rhn.redhat.com/errata/RHSA-2003-120.html

   Red Hat Enterprise Linux:

          http://rhn.redhat.com/errata/RHSA-2003-121.html

The Sendmail Consortium

   The  Sendmail  Consortium  recommends  that  sites  upgrade  to 8.12.9
   whenever possible. Alternatively, patches are available for 8.9, 8.10,
   8.11, and 8.12 on http://www.sendmail.org/.

Sendmail, Inc.

   All  commercial  releases including Sendmail Switch, Sendmail Advanced
   Message  Server (which includes the Sendmail Switch MTA), Sendmail for
   NT,  and Sendmail Pro are affected by this issue. Patch information is
   available at http://www.sendmail.com/security/.
     _________________________________________________________________

   Our  thanks  to  Eric  Allman,  Claus  Assmann, Greg Shapiro, and Dave
   Anderson  of  Sendmail  for  reporting  this  problem  and  for  their
   assistance in coordinating the response to this problem. We also thank
   Michal Zalewski for discovering this vulnerability.
     _________________________________________________________________

   Authors: Art Manion and Shawn V. Hernan
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-12.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert em cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo em cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   March 29,2003: Initial release
- ------------ Output from pgp ------------
Pretty Good Privacy(tm) Version 6.5.8
(c) 1999 Network Associates Inc.
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Export of this software may be restricted by the U.S. government.
File is signed.  signature not checked.
Signature made 2003/03/29 19:52 GMT
key does not meet validity threshold.
WARNING:  Because this public key is not certified with a trusted
signature, it is not known with high confidence that this public key
actually belongs to: "(KeyID: 0xD9513B39)".

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPoYUSukli63F4U8VAQH+OgQAvvDiOQDLKikTSwpFUVZnGCk7ZdsQ6AVP
JMf13Dhn37gAb99mTvlO5Qac5xdE3nFrSoLWvRoKSCcqyRTqvzwPxsOPYnCTinnb
1W94ZFcwj5HJ5jQgU/g08bhVvSgVAI+5fBAcH+UWwpzT5as3+In5jncKVF0nkSJz
8uIRugEb2Nk=
=FmHB
-----END PGP SIGNATURE-----

----- End forwarded message -----