[Previo por Fecha] [Siguiente por Fecha] [Previo por Hilo] [Siguiente por Hilo]
[Hilos de Discusión] [Fecha] [Tema] [Autor]-----BEGIN PGP SIGNED MESSAGE----- De interes general y urgente para los servidores con Sendmail... Saludos - -- Juan Carlos Guel Lopez UNAM-CERT Equipo de Respuesta a Incidentes UNAM DGSCA, UNAM E-mail: unam-cert en seguridad unam mx Circuito Exterior, C. U. Tel.: 5622-81-69 Fax: 5622-80-43 Del. Coyoacan WWW: http://www.seguridad.unam.mx 04510 Mexico D. F. WWW: http://www.unam-cert.unam.mx On Mon, 3 Mar 2003, CERT Coordination Center wrote: > CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail > > Original release date: March 3, 2003 > Last revised: -- > Source: CERT/CC > > A complete revision history can be found at the end of this file. > > Systems Affected > > * Sendmail Pro (all versions) > * Sendmail Switch 2.1 prior to 2.1.5 > * Sendmail Switch 2.2 prior to 2.2.5 > * Sendmail Switch 3.0 prior to 3.0.3 > * Sendmail for NT 2.X prior to 2.6.2 > * Sendmail for NT 3.0 prior to 3.0.3 > * Systems running open-source sendmail versions prior to 8.12.8, > including UNIX and Linux systems > > Overview > > There is a vulnerability in sendmail that may allow remote attackers > to gain the privileges of the sendmail daemon, typically root. > > I. Description > > Researchers at Internet Security Systems (ISS) have discovered a > remotely exploitable vulnerability in sendmail. This vulnerability > could allow an intruder to gain control of a vulnerable sendmail > server. > > Most organizations have a variety of mail transfer agents (MTAs) at > various locations within their network, with at least one exposed to > the Internet. Since sendmail is the most popular MTA, most > medium-sized to large organizations are likely to have at least one > vulnerable sendmail server. In addition, many UNIX and Linux > workstations provide a sendmail implementation that is enabled and > running by default. > > This vulnerability is message-oriented as opposed to > connection-oriented. That means that the vulnerability is triggered by > the contents of a specially-crafted email message rather than by > lower-level network traffic. This is important because an MTA that > does not contain the vulnerability will pass the malicious message > along to other MTAs that may be protected at the network level. In > other words, vulnerable sendmail servers on the interior of a network > are still at risk, even if the site's border MTA uses software other > than sendmail. Also, messages capable of exploiting this vulnerability > may pass undetected through many common packet filters or firewalls. > > Sendmail has indicated to the CERT/CC that this vulnerability has been > successfully exploited in a laboratory environment. We do not believe > that this exploit is available to the public. However, this > vulnerability is likely to draw significant attention from the > intruder community, so the probability of a public exploit is high. > > A successful attack against an unpatched sendmail system will not > leave any messages in the system log. However, on a patched system, an > attempt to exploit this vulnerability will leave the following log > message: > > Dropped invalid comments from header address > > Although this does not represent conclusive evidence of an attack, it > may be useful as an indicator. > > A patched sendmail server will drop invalid headers, thus preventing > downstream servers from receiving them. > > The CERT/CC is tracking this issue as VU#398025. This reference number > corresponds to CVE candidate CAN-2002-1337. > > For more information, please see > > http://www.sendmail.org > http://www.sendmail.org/8.12.8.html > http://www.sendmail.com/security/ > http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 > http://www.kb.cert.org/vuls/id/398025 > > II. Impact > > Successful exploitation of this vulnerability may allow an attacker to > gain the privileges of the sendmail daemon, typically root. Even > vulnerable sendmail servers on the interior of a given network may be > at risk since the vulnerability is triggered from the contents of a > malicious email message. > > III. Solution > > Apply a patch from Sendmail > > Sendmail has produced patches for versions 8.9, 8.10, 8.11, and 8.12. > However, the vulnerability also exists in earlier versions of the > code; therefore, site administrators using an earlier version are > encouraged to upgrade to 8.12.8. These patches are located at > > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.security.cr.patch > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.security.cr.patch > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch > > Apply a patch from your vendor > > Many vendors include vulnerable sendmail servers as part of their > software distributions. We have notified vendors of this vulnerability > and recorded their responses in the systems affected section of > VU#398025. Several vendors have provided a statement for direct > inclusion in this advisory; these statements are available in Appendix > A. > > Enable the RunAsUser option > > There is no known workaround for this vulnerability. Until a patch can > be applied, you may wish to set the RunAsUser option to reduce the > impact of this vulnerability. As a good general practice, the CERT/CC > recommends limiting the privileges of an application or service > whenever possible. > > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > > Apple Computer, Inc. > > Security Update 2003-03-03 is available to fix this issue. Packages > are available for Mac OS X 10.1.5 and Mac OS X 10.2.4. It should be > noted that sendmail is not enabled by default on Mac OS X, so only > those systems which have explicitly enabled it are susceptible to the > vulnerability. All customers of Mac OS X, however, are encouraged to > apply this update to their systems. > > Avaya, Inc. > > Avaya is aware of the vulnerability and is investigating impact. As > new information is available this statement will be updated. > > BSD/OS > > Wind River Systems has created patches for this problem which are > available from the normal locations for each release. The relevant > patches are M500-006 for BSD/OS version 5.0 or the Wind River Platform > for Server Appliances 1.0, M431-002 for BSD/OS 4.3.1, or M420-032 for > BSD/OS 4.2 systems. > > Cisco Systems > > Cisco is investigating this issue. If we determine any of our products > are vulnerable that information will be available at: > http://www.cisco.com/go/psirt > > Cray Inc. > > The code supplied by Cray, Inc. in Unicos, Unicos/mk, and Unicos/mp > may be vulnerable. Cray has opened SPRs 724749 and 724750 to > investigate. > > Cray, Inc. is not vulnerable for the MTA systems. > > Hewlett-Packard Company > > SOURCE: > Hewlett-Packard Company > HP Services > Software Security Response Team > > x-ref: SSRT3469 sendmail > > HP will provide notice of the availability of patches through standard > security bulletin announcements and be available from your normal HP > Services support channel. > > IBM Corporation > > The AIX operating system is vulnerable to the sendmail issues > discussed in releases 4.3.3, 5.1.0 and 5.2.0. > > A temporary patch is available through an efix package which can be > found at > ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z > > IBM will provide the following official fixes: > > APAR number for AIX 4.3.3: IY40500 (available approx. > 03/12/2003) > APAR number for AIX 5.1.0: IY40501 (available approx. > 04/28/2003) > APAR number for AIX 5.2.0: IY40502 (available approx. > 04/28/2003) > > Openwall GNU/*/Linux > > Openwall GNU/*/Linux is not vulnerable. We use Postfix as the MTA, not > sendmail. > > Red Hat Inc. > > Updated sendmail packages that are not vulnerable to this issue are > available for Red Hat Linux, Red Hat Advanced Server, and Red Hat > Advanced Workstation. Red Hat Network users can update their systems > using the 'up2date' tool. > > Red Hat Linux: > > http://rhn.redhat.com/errata/RHSA-2003-073.html > > Red Hat Linux Advanced Server, Advanced Workstation: > > http://rhn.redhat.com/errata/RHSA-2003-074.html > > SGI > > SGI acknowledges VU#398025 reported by CERT and has released an > advisory to address the vulnerability on IRIX. > > Refer to SGI Security Advisory 20030301-01-P available from > ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P > or http://www.sgi.com/support/security/. > > The Sendmail Consortium > > The Sendmail Consortium suggests that sites upgrade to 8.12.8 if > possible. Alternatively, patches are available for 8.9, 8.10, 8.11, > and 8.12 on http://www.sendmail.org/ > > Sendmail, Inc. > > All commercial releases including Sendmail Switch, Sendmail Advanced > Message Server (which includes the Sendmail Switch MTA), Sendmail for > NT, and Sendmail Pro are affected by this issue. Patch information is > available at http://www.sendmail.com/security. > _________________________________________________________________ > > Our thanks to Internet Security Systems, Inc. for discovering this > problem, and to Eric Allman, Claus Assmann, and Greg Shapiro of > Sendmail for notifying us of this problem. We thank both groups for > their assistance in coordinating the response to this problem. > _________________________________________________________________ > > Authors: Jeffrey P. Lanza and Shawn V. Hernan > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2003-07.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: cert en cert org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to majordomo en cert org. Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2003 Carnegie Mellon University. > > Revision History > Mar 03, 2003: Initial release > ------------ Output from pgp ------------ > (c) 1999 Network Associates Inc. > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. > Export of this software may be restricted by the U.S. government. > > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Charset: cp850 iQEVAwUBPmO0+nAvLUtwgRsVAQEzAQf/Zp9nSWaWk3ZmN+23peAMYxi7Dbo96Ebd bl3Vubex3vOPGEN/SoQ/0SXK5cgRsmPXfacfl0F/uqKCBGcneoUH5GtQjjsgusCr BIVKuNdM/f1oUQDeD0+hinxqupbHuzea/bUoYuHZjyPsQTjjT3cnKnB0xpQ/EVq1 jB5jOltppINYXUpWHHAyVwQd0ZDA8sRYIv7KGUDEeSnx3auUzgAoJqzRXHMVwWKx OkYjPTmXtrW7IBXnvEr0jljBpOFRJepZl+JNLndK7p7MPV/VWoHtvo6O6q4w9QSQ t+jyfyjSJzQBjf0F35sBr1n5oX0fOP3C0n5JkD+/I7oREXUXbJYbTg== =4v+U -----END PGP SIGNATURE----- _______________________________________________ Ayuda mailing list Ayuda en linux org mx Para salir de la lista: http://mail.linux.org.mx/mailman/listinfo/ayuda/