A new vulnerability has been discovered in Sendmail that could potentially allow attackers to run code on affected systems. Researchers are still trying to figure out the full extent of the vulnerability.
This is the second major vulnerability announced this month in the popular mail transfer agent. Sendmail handles at least 50% to 75% of all Internet e-mail traffic. Both the open-source and commercial versions of the application are affected by the flaw.
The flaw lies in the address-parsing code in Sendmail, according to the Computer Emergency Response Team (CERT) at Carnegie Mellon University. The code does not properly check the length of e-mail addresses. In theory, an attacker could remotely exploit the flaw by sending a specially designed e-mail address, which could trigger a stack overflow.
Whether the flaw could be remotely exploited is still in question, said Dan Ingevaldson, team lead for ISS' X-Force R&D. The discoverer of the flaw, Michal Zalewski, found he could trigger a denial-of-service attack locally and predicted it could be done remotely. "So far, we have not seen evidence or a proof of concept that it can be exploited remotely," he said.
Any denial-of-service affect would pale in comparison to an attacker being able to run arbitary code on a system. Even if the flaw can be remotely exploited, any DoS attack would only crash a child process of Sendmail, not the whole system, Ingevaldson said.
If attackers could run code on remote systems it would be much more dangerous as Sendmail often runs with local privilege levels, which is often root.
CERT said that the following versions of Sendmail are affected:
- Sendmail Pro (all versions)
- Sendmail Switch 2.1 prior to 2.1.6
- Sendmail Switch 2.2 prior to 2.2.6
- Sendmail Switch 3.0 prior to 3.0.4
- Sendmail for NT 2.X prior to 2.6.3
- Sendmail for NT 3.0 prior to 3.0.4
- Systems running open-source Sendmail versions prior to 8.12.9,including Unix and Linux systems
There are no workarounds for the flaw. Users of vulnerable systems are advised to patch as soon as possible or upgrade to Sendmail 8.12.9. Users should take care when assessing which of their systems are vulnerable, because various Unix and Linux workstations come with Sendmail enabled and running by default, CERT said.
Also, companies using other mail transfer agents in addition to Sendmail should pay special attention. Non-Sendmail servers can pass malicious messages to inner Sendmail servers that could be compromised. These messages could get through common packet filters or firewalls, CERT said.
The earlier vulnerability involved a buffer overflow in Sendmail's parsing mechanism for header information. An attacker could send a specially written e-mail message with header data that would spill over the static buffer allotted for such information. The spilled data could then be run by machines that haven't been patched.
Ingevaldson warns the new vulnerability should be taken serious because its scope in terms of affected systems is similar to the earlier flaw, which ISS found. "But you must remember there is a gulf between vulnerable systems and exploitable systems," he said.
FOR MORE INFORMATION:
- FEEDBACK: Has your faith in Sendmail been shaken by this month's serious vulnerabilities?
Send your feedback to the SearchSecurity.com news team.