__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Sendmail 8.12.9 Prescan and Ruleset Parsing Bugs September 17, 2003 17:00 GMT Number N-149 [REVISED 22 Sept 2003] [REVISED 23 Sept 2003] [REVISED 26 Sept 2003] [REVISED 30 Sept 2003] [REVISED 1 Oct 2003] [REVISED 27 Oct 2003] [REVISED 21 Nov 2003] [REVISED 17 Dec 2003] {REVISED 20 Jan 2004] [REVISED 07 Jun 2004] [REVISED 25 Feb 2005] [REVISED 13 Apr 2005] ______________________________________________________________________________ PROBLEM: A buffer overflow has been discovered in Sendmail version 8.12.9 that could be remotely exploited to give an intruder remote access to a system. SOFTWARE: Sendmail 8.12.9 and earlier PLATFORM: HP-UX B.11.00, B.11.04, B.11.04 (VVOS), B.11.11, B.11.22, B11.23, B.11.23 (PA) Mac OS X versions prior to 10.2.8 IRIX 6.5.22 or patches 5325 and 5326 SPARC Solaris 7, 8, 9 x86 Solaris 7, 8, 9 Red Hat Linux products Sun Linux 5.0 w/sendmail versions 8.11.6-3 or earlier Sun Cobalt Qube3 w/sendmail versions 8.10.2-C4stackguard or earlier RaQ4 w/sendmail versions 8.10.2-C4stackguard or earlier RaQ550 w.sendmail versions 8.11.6-1C6stackguard or earlier RaQXTR w/sendmail versions 8.11.6-1C6stackguard or earlier DAMAGE: An intruder could get remote access to a system. SOLUTION: Install Sendmail 8.12.10 available from www.sendmail.org or install appropriate vendor patches respective to your environment. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. We have not seen an exploit for this ASSESSMENT: vulnerability. This vulnerability could be exploited to give an intruder root access to a system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-149.shtml ORIGINAL BULLETIN: http://www.sendmail.org/8.12.10.html ADDITIONAL LINK: Visit HEWLETT PACKARD Subscription Service for: HPSBUX0309-281 (SSRT3631) (Rev. 9) CERT Advisory CA-2003-25 http://www.cert.org/advisories/CA-2003-25.html Apple Security Advisory - Mac OS X 10.2.8 (APPLE-SA-2003-09-22) http://net-security.org/advisory.php?id=2546 http://docs.info.apple.com/article.html?artnum=61798 RedHat Advisory RHSA2003:283-09 https://rhn.redhat.com/errata/RHSA-2003-283.html RedHat Advisory RHSA2003:284-05 https://rhn.redhat.com/errata/RHSA-2003-284.html SGI Security 20030903-01-P http://www.sgi.com/support/security/ Sun Microsystems Alert ID: 56860 http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc= fsalert%2F56860&zone_32=category%3Asecurity Sun Microsystems Alert ID: 57573 http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc= fsalert%2F57573&zone_32=category%3Asecurity Sun Alert ID: 56922 http://www.sunsolve.sun.com/search/document.do?assetkey= 1-26-56922-1&searchclause=%22category:security%22%20%22 availability,%20security%22 ______________________________________________________________________________ REVISION HISTORY: 9/22/03 - Updated PLATFORM Section; updated SOLUTION section; and added links for Hewlett Packard HPSBUX0309-281 (SSRT3631) and CERT Advisory CA-2003-25. 9/23/03 - Updated PLATFORM section; updated SOLUTION section; and added link for Apple Security Advisory - Mac OS X 10.2.8 (APPLE-SA-2003-09-22). 9/26/03 - Updated Additional Links section: added link for RedHat Advisory RHSA-2003:283-09. 9/30/03 - Updated Additional Links section: added link for SGI Security Advisory 20030903-01-P. 10/1/03 - Updated PLATFORM Section; added link for Sun Microsystems Sun Alert ID: 56860. 10/27/03 - Added link to Red Hat Advisory RHSA2003-284 for information on patches for the Red Hat Enterprise Linux products. 11/21/03 - Added HP-UX B.11.23 in the Platform section. 12/17/03 - Updated to reflect rev. 7 for HPSBUX0309-281 announcing the release of patches for B.11.22 and B.11.23 platforms. 1/20/04 - Updated to reflect rev. 8 for HPSBUX0309-281 announcing the release of patches for B.11.04 platform. 6/07/04 - Added link to Sun Alert ID 57573 that lists a Ruleset Parsing vulnerability that affects sendmail(1M) versions earlier than 8.12.10 and provides patches for this vulnerability 02/25/05 - because Hewlett-Packard has added HP-UX version B.11.23 (PA) to their security bulletin HPSBUX0309-281 SSRT3631 rev.9 04/13/05 - revised to add a link to Sun Alert ID: 56922 for Sun Linux 5.0, Sun Cobalt Qube3, RaQ4, RaQ550, RaQXTR. [***** Start Sendmail 8.12.10 *****] Sendmail 8.12.10 Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.12.10. It contains a fix for a security problem discovered by Michal Zalewski whom we thank for bringing this problem to our attention. We also want to thank Todd C. Miller for providing a patch. sendmail 8.12.10 also includes fixes for other potential problems, see the release notes below for more details. Sendmail urges all users to either upgrade to sendmail 8.12.10 or apply a patch. Remember to check the PGP signatures of patches or releases obtained via FTP or HTTP (to check the correctness of the patch in this announcement please verify the PGP signature of it). For those not running the open source version, check with your vendor for a patch. For a complete list of changes see the release notes down below. Please send bug reports to sendmail-bugs@sendmail.org as usual. Please send security reports to sendmail-security@sendmail.org using PGP encryption. Note: We have changed the way we digitally sign the source code distributions to simplify verification: in contrast to earlier versions two .sig files are provided, one each for the gzip'ed version and the compressed version. That is, instead of signing the tar file, we sign the compressed/gzip'ed files, so you do not need to uncompress the file before checking the signature. This version can be found at ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz.sig ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.Z ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.Z.sig and the usual mirror sites. MD5 signatures: 393f5d09d462f522c8288363870b2b42 sendmail.8.12.10.tar.gz 345042839dec70f0a0b5aaeafcf3a0e3 sendmail.8.12.10.tar.gz.sig 36b2b74577a96f79c242ff036321c2ff sendmail.8.12.10.tar.Z 1b9cd61e1342207148d950feafab0f07 sendmail.8.12.10.tar.Z.sig You either need the first two files or the third and fourth, i.e., the gzip'ed version or the compressed version and the corresponding .sig file. The PGP signature was created using the Sendmail Signing Key/2003, available on the web site or on the public key servers. Since sendmail 8.11 and later includes hooks to cryptography, the following information from OpenSSL applies to sendmail as well. PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. SENDMAIL RELEASE NOTES $Id: RELEASE_NOTES,v 8.1340.2.165 2003/09/16 20:50:42 ca Exp $ This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release. 8.12.10/8.12.10 2003/09/24 SECURITY: Fix a buffer overflow in address parsing. Problem detected by Michal Zalewski, patch from Todd C. Miller of Courtesan Consulting. Fix a potential buffer overflow in ruleset parsing. This problem is not exploitable in the default sendmail configuration; only if non-standard rulesets recipient (2), final (4), or mailer-specific envelope recipients rulesets are used then a problem may occur. Problem noted by Timo Sirainen. Accept 0 (and 0/0) as valid input for set MaxMimeHeaderLength. Problem noted by Thomas Schulz. Add several checks to avoid (theoretical) buffer over/underflows. Properly count message size when performing 7->8 or 8->7 bit MIME conversions. Problem noted by Werner Wiethege. Properly compute message priority based on size of entire message, not just header. Problem noted by Axel Holscher. Reset SevenBitInput to its configured value between SMTP transactions for broken clients which do not properly announce 8 bit data. Problem noted by Stefan Roehrich. Set {addr_type} during queue runs when processing recipients. Based on patch from Arne Jansen. Better error handling in case of (very unlikely) queue-id conflicts. Perform better error recovery for address parsing, e.g., when encountering a comment that is too long. Problem noted by Tanel Kokk, Union Bank of Estonia. Add ':' to the allowed character list for bogus HELO/EHLO checking. It is used for IPv6 domain literals. Patch from Iwaizako Takahiro of FreeBit Co., Ltd. Reset SASL connection context after a failed authentication attempt. Based on patch from Rob Siemborski of CMU. Check Berkeley DB compile time version against run time version to make sure they match. Do not attempt AAAA (IPv6) DNS lookups if IPv6 is not enabled in the kernel. When a milter adds recipients and one of them causes an error, do not ignore the other recipients. Problem noted by Bart Duchesne. CONFIG: Use specified SMTP error code in mailertable entries which lack a DSN, i.e., "error:### Text". Problem noted by Craig Hunt. CONFIG: Call Local_trust_auth with the correct argument. Patch from Jerome Borsboom. CONTRIB: Better handling of temporary filenames for doublebounce.pl and expn.pl to avoid file overwrites, etc. Patches from Richard A. Nelson of Debian and Paul Szabo. MAIL.LOCAL: Fix obscure race condition that could lead to an improper mailbox truncation if close() fails after the mailbox is fsync()'ed and a new message is delivered after the close() and before the truncate(). MAIL.LOCAL: If mail delivery fails, do not leave behind a stale lockfile (which is ignored after the lock timeout). Patch from Oleg Bulyzhin of Cronyx Plus LLC. Portability: Port for AIX 5.2. Thanks to Steve Hubert of University of Washington for providing access to a computer with AIX 5.2. setreuid(2) works on OpenBSD 3.3. Patch from Todd C. Miller of Courtesan Consulting. Allow for custom definition of SMRSH_CMDDIR and SMRSH_PATH on all operating systems. Patch from Robert Harker of Harker Systems. Use strerror(3) on Linux. If this causes a problem on your Linux distribution, compile with -DHASSTRERROR=0 and tell sendmail.org about it. Added Files: devtools/OS/AIX.5.2 [***** End Sendmail 8.12.10 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sendmail.org for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-139: Red Hat Updated SSL Certificate for access to 'up2date' N-140: Sun Linux Vulnerability in VNC Package may allow local or remote unauthorized access N-141: Timing based attack vulnerabilities in the JAVA Secure Socket Extension N-142: Microsoft Word Macros Vulnerability N-143: Microsoft WordPerfect Converter Buffer Overrun Vulnerability N-144: Microsoft Visual Basic Buffer Overrun Vulnerability N-145: Microsoft Access Snapshot View Buffer Overrun Vulnerability N-146: Apache 2.0.47 Release Fixes Security Vulnerabilities N-147: Hewlett Packard Potential Security Vulnerability B.11.11 DCE N-148: Sun Security Issue Involving the Solaris sadmind(1M) Daemon