[SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Sendmail

[Security Team - UNICAMP]

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade remota no Sendmail
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Thu, 28 Aug 2003 16:35:12 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta repassando o alerta divulgado pelo Projeto FreeBSD,
"FreeBSD-SA-03:11.sendmail Sendmail DNS MAP problem", a respeito de uma
vulnerabilidade do tipo "buffer overflow" no Sendmail. Tal vulnerabilidade
pode permitir a um atacante causar um ataque do tipo negacao de servico
(DoS).

As versoes do Sendmail afetadas possuem um erro no codigo que trata as
respostas a requisicoes DNS MAP, permitindo a um atacante enviar pacotes
especialmente construidos causando indisponibilidade do sistema. Apesar de
nao existir nenhum caso comprovado, esse problema pode permitir outras
formas de ataque, tal como execucao de codigo arbitrario.


* Sistemas afetados:

	. Sistemas Unix e Linux executando a versao publica do Sendmail
          nas versoes 8.12.0 a 8.12.8.


* Correcoes disponiveis:

Recomenda-se fazer a atualizacao para a versao 8.12.9, disponivel em:

        http://www.sendmail.org/8.12.9.html

Alternativamente, pode-se aplicar a correcao ("patch") respectiva. Tais
correcoes podem ser obtidas acessando a seguinte URL:

        http://www.sendmail.org/patchps.html

Caso voce nao tenha condicoes de fazer a atualizacao ou aplicar o patch
*imediatamente*, uma forma de reduzir o impacto da vulnerabilidade e´
desabilitar o suporte a DNS MAP no arquivo sendmail.cf.


* Maiores informacoes:

        http://www.sendmail.org
        http://www.sendmail.org/8.12.9.html
        http://www.sendmail.com/security
	http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/54367


* Identificador CVE: CAN-2003-0688, (http://cve.mitre.org)


O CAIS recomenda aos administradores manterem seus sistemas e aplicativos
sempre atualizados, de acordo com as ultimas versoes e correcoes
disponibilizadas pelos fabricantes.

Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


=============================================================================
FreeBSD-SA-03:11.sendmail                                   Security Advisory
                                                          The FreeBSD Project

Topic:          sendmail DNS map problem

Category:       contrib
Module:         contrib_sendmail
Announced:      2003-08-26
Credits:        Oleg Bulyzhin <oleg em rinet.ru>
Affects:        4.6-RELEASE (up to -p16), 4.7-RELEASE (up to -p13),
                4.8-RELEASE (up to -p3), 5.0-RELEASE (up to -p11)
                4-STABLE prior to Mar 29 19:33:18 2003 UTC
Corrected:      2003-08-25 22:33:14 UTC (RELENG_5_0)
                2003-08-25 22:35:23 UTC (RELENG_4_8)
                2003-08-25 22:36:10 UTC (RELENG_4_7)
                2003-08-25 22:38:53 UTC (RELENG_4_6)
FreeBSD only:   NO

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

FreeBSD includes sendmail(8), a general purpose internetwork mail
routing facility, as the default Mail Transfer Agent (MTA).

II.  Problem Description

Some versions of sendmail (8.12.0 through 8.12.8) contain a
programming error in the code that implements DNS maps.  A malformed
DNS reply packet may cause sendmail to call `free()' on an
uninitialized pointer.

NOTE: The default sendmail configuration in FreeBSD does not utilize
DNS maps.

III. Impact

Calling `free()' on an uninitialized pointer may result in a sendmail
child process crashing.  It may also be possible for an attacker to
somehow influence the value of the `uninitialized pointer' and cause
an arbitrary memory trunk to be freed.  This could further lead to
some other exploitable vulnerability, although no such cases are known
at this time.

IV.  Workaround

Do not use DNS maps.

V.   Solution

Do one of the following:

1) Upgrade your vulnerable system to 4-STABLE, 5.1-RELEASE, or to the
RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the
correction date (5.1-RELEASE-p11, 4.8-RELEASE-p4, or 4.7-RELEASE-p14,
respectively).

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 5.0, 4.8,
4.7, and 4.6 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:11/sendmail.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:11/sendmail.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libsm
# make obj && make depend && make
# cd /usr/src/lib/libsmutil
# make obj && make depend && make
# cd /usr/src/usr.sbin/sendmail
# make obj && make depend && make && make install

c) Restart sendmail.  Execute the following command as root.

# /bin/sh /etc/rc.sendmail restart

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
  Branch
- -------------------------------------------------------------------------
src/UPDATING
  RELENG_5_0                                                   1.229.2.17
  RELENG_4_8                                                1.73.2.80.2.6
  RELENG_4_7                                               1.73.2.74.2.17
  RELENG_4_6                                               1.73.2.68.2.45
src/sys/conf/newvers.sh
  RELENG_5_0                                                    1.48.2.12
  RELENG_4_8                                                1.44.2.29.2.5
  RELENG_4_7                                               1.44.2.26.2.16
  RELENG_4_6                                               1.44.2.23.2.34
src/contrib/sendmail/src/sm_resolve.c
  RELENG_5_0                                                  1.1.1.4.2.1
  RELENG_4_8                                              1.1.1.1.2.2.4.1
  RELENG_4_7                                              1.1.1.1.2.2.2.1
  RELENG_4_6                                              1.1.1.1.2.1.2.2
- -------------------------------------------------------------------------

VII. References

<URL:http://www.sendmail.org/dnsmap1.html>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0688>


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP05Zdukli63F4U8VAQFxqAQAsoHsXR2kGPUwWdk3MFgmdOue87dr6PUX
stYL1lrixKrF3FnraMCv8pAWrCEurGTwn1FcJX9lNxoqzTpglB7MLAwjoxgOMR0/
7JlC70d/BpHZmJHtZcV5OxdoX/CfmJK472+7OGjlPrzv51EVegpJWqg28S3ZKq34
HJvTna5iYpk=
=metQ
-----END PGP SIGNATURE-----


----- End forwarded message -----