[SECURITY-L] [S] Major Internet vulnerability discovered in e-mail protocol

[Silvana Mieko Misuta]

    Subject: [S] Major Internet vulnerability discovered in e-mail
protocol
        Date: Wed, 5 Mar 2003 18:44:02 -0300
       From: Cristine Hoepers <cristine em nic.br>
 Reply-To: seguranca em pangeia.com.br
            To: seguranca em pangeia.com.br

[http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78991,00.html]

   Major Internet vulnerability discovered in e-mail protocol
   By DAN VERTON
   MARCH 03, 2003
   Source: Computerworld


   The Department of Homeland Security (DHS) has been working in secret
   for more than two weeks with the private sector to fix a major
   Internet vulnerability that could have had disastrous consequences
for
   millions of businesses and the U.S. military.

   Since early December, the DHS and the White House Office of
Cyberspace
   Security have been working with Atlanta-based Internet Security
   Systems Inc. (ISS) to alert IT vendors and the business community
   about a major buffer-overflow vulnerability in the sendmail
   mail-transfer agent (MTA).

   Sendmail is the most common MTA and handles 50% to 75% of all
Internet
   e-mail traffic. Versions of the software, from 5.79 to 8.12.7, arE
   vulnerable, according to an ISS alert issued publicly today.

   According to sources familiar with the investigation, ISS discovered
   the vulnerability on Dec. 1. It contacted the homeland security
   officials on Dec. 5, who began alerting IT vendors that distribute
   sendmail, including Sun Microsystems Inc., IBM, Hewlett-Packard Co.
   and Silicon Graphics Inc., as well as the Sendmail Consortium, the
   organization that develops the open-source version of sendmail that
is
   distributed with both free and commercial operating systems. Those
   vendors were told of the flaw on Jan. 13. The seriousness of the
   vulnerability, coupled with the fact that the hacker community wasn't

   yet aware of it, led the government and ISS to decide it was better
to
   keep the news under wraps until patches could be developed.

   The Sendmail Consortium is urging all users to upgrade to Sendmail
   8.12.8 or apply a patch for 8.12.x or for older versions. Updates can

   be downloaded from ftp.sendmail.org or any of its mirrors, or from
   the Sendmail Consortium's Web site. The consortium said patch users
   should remember to check the Pretty Good Privacy signatures of any
   patches or releases obtained. It also suggested that users running
the
   open-source version of sendmail check with their vendors for a patch.


   Emeryville, Calif.-based Sendmail Inc., the commercial provider of
the
   sendmail MTA, is providing a binary patch for its commercial
customers
   that can be downloaded from its Web site at: www.sendmail.com/.

   "The Remote Sendmail Header Processing Vulnerability allows local and

   remote users to gain almost complete control of a vulnerable Sendmail

   server," according to an alert prepared today by the DHS. "Attackers
   gain the ability to execute privileged commands using super-user
   (root) access/control. This vulnerability can be exploited through a
   simple e-mail message containing malicious code.

   "System administrators should be aware that many Sendmail servers are

   not typically shielded by perimeter defense applications" such as
   firewalls, warned the DHS alert, which hadn't yet been made publicly
   available as of midafternoon. "A successful attacker could install
   malicious code, run destructive programs and modify or delete files."


   In addition, attackers could gain access to other systems through a
   compromised sendmail server, depending on local configurations,
   according to the DHS warning.

   According to ISS, the sendmail remote vulnerability occurs when
   processing and evaluating header fields in e-mail collected during a
   Simple Mail Transfer Protocol transaction. Specifically, when fields
   are encountered that contain addresses or lists of addresses (such as

   the "From" field, "To" field and "CC" field), sendmail attempts to
   semantically evaluate whether the supplied address or list of
   addresses is valid. This is accomplished using the crackaddr()
   function, which is located in the headers.c file in the sendmail
   source tree.

   A static buffer is used to store data that has been processed.
   Sendmail detects when this buffer becomes full and stops adding
   characters, although it continues processing. Sendmail implements
   several security checks to ensure that characters are parsed
   correctly. One such security check is flawed, making it possible for
a
   remote attacker to send an e-mail with a specially crafted address
   field that triggers a buffer overflow.

   "Sendmail's vulnerability offers a legitimate test [of the new DHS
and
   its ability to work with the private sector] because sendmail handles

   a large amount of Internet mail traffic and is installed on at least
   1.5 million Internet-connected systems," said an alert from the SANS
   Institute in Bethesda, Md., that was obtained by Computerworld today.

   "More than half of the large ISPs and Fortune 500 companies use
   sendmail, as do tens of thousands of other organizations. A security
   hole in sendmail affects a lot of people and demands their immediate
   attention."

   Of particular concern to the White House was the potential
   vulnerability of the U.S. military, which is poised to begin
offensive
   military operations in Iraq and is simultaneously facing the
   possibility of conflict on the Korean peninsula. As a result, early
   versions of available patches were distributed first to U.S. military

   organizations on Feb. 25 and 26, according to the SANS alert. The
   advance military alert was followed last Thursday and Friday with
   alerts to various government organizations in the U.S. and around the

   world, including the Information Sharing and Analysis Centers (ISAC).


   "Some of the large commercial vendors developed patches very quickly.

   But the delayed notice to smaller sources of sendmail distributions
   and limited resources at those organizations meant that not all the
   patches would be ready by early in the week of February 23,"
according
   to the SANS analysis of the public/private response effort.

   A senior-level coordination group of government and private-sector
   experts then decided, based on a review of cyberintelligence from
   various hacker discussion boards and a series of sensors deployed
   around the world by ISS, that it was safe to wait until all the
   patches were available before alerting the general business and
   Internet community to the vulnerability.

   Beginning today at 10 a.m. EST, alerts began flowing from the Federal

   Computer Incident Response Center to federal agencies and from the
   ISACs to companies responsible for critical infrastructure. At noon
   EST today, ISS released its own advisory, followed by a general
   alert from the CERT Coordination Center at Carnegie Mellon University

   in Pittsburgh.