A newly discovered vulnerability in Sendmail could allow attackers to run arbitrary code on affected systems. While an exploit to take advantage of the flaw isn't in the wild, users are urged to patch their systems as soon as possible.
The vulnerability is a buffer overflow in the Sendmail mail transfer agent, which could allow remote attackers to gain control of vulnerable systems. Sendmail is a common transfer agent that handles at least 50% to 75% of all Internet e-mail traffic. Most versions are affected, including those that run on Unix, Linux and Windows.
An attacker could exploit the flaw by sending e-mail messages with specially crafted headers. The flaw lies in the parsing mechanism of Sendmail. The buffer is static, so if an attacker sends a certain size chunk of data, then some would spill over and run on the affected system, said Ralph Logan, manager of NetIQ's VITAL team. Attackers would be able to gain control of affected systems, which could be quite grave, since many run with root privileges. Because of this attack vector, firewalls and packet filtering systems wouldn't be of much help.
Yet creating an exploit to take advantage of the flaw is very difficult, said Dan Ingevaldson, team lead for Internet Security Systems' X-Force R&D. ISS found the vulnerability late last year and notified the National Infrastructure Protection Center (NIPC) and the developers of Sendmail. The latter created a fix before the vulnerability was made public.
The complexity of flaw shouldn't give Sendmail users a sense of security. "We don't care how long it takes to exploit the vulnerability. All it takes is one person to do it and then post it on a list," Ingevaldson said. "It would then be very easy to exploit."
CERT said in its advisory: "This vulnerability is likely to draw significant attention from the intruder community, so the probability of a public exploit is high."
In its advisory, ISS warns that an exploit could have effects that are similar to those of the recent Slammer worm. E-mail and messaging systems could slow to a halt, with data integrity being compromised. High levels of Internet traffic could disrupt emergency services and telecommunications.
There are no workarounds for the vulnerability, since it lies in the core components of Sendmail. Patching systems is the only defense. A patched server will drop invalid headers.
Users of the open-source version can upgrade to version 8.12.8 or apply a patch. A patch is also available from Sendmail Inc., the producer of commercial versions of the software.
The vulnerability is particularly worrisome because Sendmail is included with other software packages, including most Unix distributions. Users of such systems should consult the CERT advisory for information about patches or check with their software vendor. The following vendors have released their own patches: Hewlett-Packard Co., IBM Corp., Silicon Graphics Inc. (SGI) and Sun Microsystems Inc., as well as Linux providers Red Hat Inc. and SuSE Inc. The following versions are susceptible:
- Sendmail Pro (all versions)
- Sendmail Switch 2.1 prior to 2.1.5
- Sendmail Switch 2.2 prior to 2.2.5
- Sendmail Switch 3.0 prior to 3.0.3
- Sendmail for NT 2.X prior to 2.6.2
- Sendmail for NT 3.0 prior to 3.0.3
- Systems running open-source Sendmail versions prior to 8.12.8, including Unix and Linux systems
No one knows the exact extent of the vulnerability, since appliances could have Sendmail running on them. "We'll see things shake out over the next week," Ingevaldson said.
FOR MORE INFORMATION: