topic Re: PLEASE PATCH YOUR SENDMAIL! in Operating System - HP-UX

PLEASE PATCH YOUR SENDMAIL!

Berlene Herren — Tue, 04 Mar 2003 13:36:05 GMT

This was reported by Dan Ingevaldson, team leader of X-Force research and development at ISS, who first discovered the vulnerability. http://www.linuxworld.com/go.cgi?id=741963

"What makes the new vulnerability particularly pernicious is that attackers would need to know little about the server they were attacking other than its Internet address.
It's quite a dangerous vulnerability because an exploit could be contained in the e-mail message itself. The attacker doesn't need to set up an elaborate system to launch the attack. They could just send an e-mail message to a server, and if the server is vulnerable the attack would be launched.

The combination of freely visible source code, a severe and remotely exploitable vulnerability, and an enormous installed base of vulnerable servers make the new Sendmail vulnerability an extremely high-value target for the hacking community, according to Ingevaldson.

That means that it is critical for affected organizations to patch their servers.

Once an exploit is published, all bets are off. The window of vulnerability has decreased. there have been some very robust powerful exploits released within a few months of the exploit being published, so if patching was not a big deal before, it is now."

See HPSBUX0302-246 SSRT3469 Potential Security Vulnerability in sendmail

Berlene

Re: PLEASE PATCH YOUR SENDMAIL!

Steven E. Protter — Tue, 04 Mar 2003 19:27:37 GMT

What is the HP Patch Depot's designation?

Where is it an since I think it does not exist, when it it goiing to be ready.

All my sendmail updates have been from HP patch depots and I'm not going to screw things up by messing around with a gz file.

I've been very agressive at putting in patches and security_patch_check is run weekly and shows no necessary patches.

SEP

Re: PLEASE PATCH YOUR SENDMAIL!

Pete Randall — Tue, 04 Mar 2003 19:30:03 GMT

Steven,

Instructions are in the link which everyone has been pointing to. It is not in SD format (yet), however, it is very easy to install.

See:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xdd549c196a4bd71190080090279cd0f9,00.html

Pete

Re: PLEASE PATCH YOUR SENDMAIL!

Berlene Herren — Tue, 04 Mar 2003 19:31:26 GMT

It is not a patch, it is a new binary.

Berlene

Re: PLEASE PATCH YOUR SENDMAIL!

Jeff Schussele — Tue, 04 Mar 2003 19:35:46 GMT

I agree that I would like to see the fix in a patch format ASAP.
If for no other reason than version control.
May sound trivial, but if you have *hundreds* of systems, tell me how one could easily tell if they're *all* patched or not?
IF it was a patch, this would be much, much easier.
So keep pushing for a patch ASAP, if you would please Berlene.

Thx,
Jeff

Re: PLEASE PATCH YOUR SENDMAIL!

Patrick Wallek — Tue, 04 Mar 2003 19:38:58 GMT

Better yet (and this is what I'm doing) if your machine is not a mail server, turn sendmail off. You don't HAVE to run sendmail in order to send mail from the server.

Re: PLEASE PATCH YOUR SENDMAIL!

Berlene Herren — Tue, 04 Mar 2003 19:39:13 GMT

Patches are in the works, but they take more time :-) We wanted an immediate fix for this vulnerability.

Check for the JAG to confirm fix:

#what /usr/sbin/sendmail

8.9.3 / 10.20
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors, including Sendmail, Inc., and the Regents of the University of California. All rights reserved.
version.c 8.9.3.1 (Berkeley) 18/09/2001 (PHNE_25183+JAGae58098)

11.X / 8.11.1
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors, including Sendmail, Inc., and the Regents of the University of California. All rights reserved.
version.c 8.11.1 (Berkeley) - Revision 1.2+JAGae58098 - 2002/07/31

Berlene

Re: PLEASE PATCH YOUR SENDMAIL!

John Poff — Tue, 04 Mar 2003 19:41:07 GMT

Steve and Jeff,

I've already downloaded the patched sendmail executable and I've patched an 11.00 and an 11i box here. The instructions with the fix include a command to get the version of sendmail running on a box. Here is what I see before installing the sendmail binary [on an 11i box]:

Version 8.9.3 (PHNE_25184)

and here is what I see afterwards:

Version 8.9.3 (PHNE_26305+JAGae58098)

So there is a way to tell if the new binary has been installed or not. I agree that having it in a patch is nice, but it is also nice that HP has jumped on this issue and provided the fix so fast [many thanks to everyone involved please Berlene!]. It was nice this morning when the local Windows/Intel people started forwarding the sendmail stories to me via e-mail and I was able to tell them that we already knew about it and had the fix on hand thanks to HP. :)

JP

Re: PLEASE PATCH YOUR SENDMAIL!

Steven E. Protter — Tue, 04 Mar 2003 19:43:22 GMT

I know how to do it.

I like being able to get my sendmail version from swlist

[5031#] swlist -l product | grep sendmail
PHNE_25184 1.0 sendmail(1m) 8.9.3 patch

I guess my question is to maintain this crutch, when is it coming out in SD format. Being behind a firewall and accepting no outside mail I judge my vulnerability as low.

The bad part is management here does watch cnn/msnbc and are already grumbling about this.

SEP

Re: PLEASE PATCH YOUR SENDMAIL!

Berlene Herren — Tue, 04 Mar 2003 19:50:12 GMT

Ah, but Steven, here is the nasty part of this vulnerability.

This vulnerability is message-oriented as opposed to connection-oriented, so internal systems are just as vulnerable to exploit as internet facing systems. That means that the vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the
vulnerability will pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable sendmail servers on the interior of a network are still at risk, even if
the site's border MTA uses software other than sendmail. Also, messages
capable of exploiting this vulnerability may pass undetected through many
common packet filters or firewalls.

Berlene

Re: PLEASE PATCH YOUR SENDMAIL!

Steven E. Protter — Tue, 04 Mar 2003 20:00:50 GMT

Okay Berlene that actually makes me feel better.

Our email infrastructure is exchange oriented with a smtp relay server to route and handle inbound/outbound traffic. The smtp server is programmed under no circumstances to send any mail messages to our HP-UX servers.

When I send out a message off one of my UX servers and its to a bad address, I can't get the bounce, because of the configuration.

Obviously someone could mess with the Exchange or SMTP servers, but if they can't send mail to the UX boxes, is there a problem?

This has btw been a fascinating discussion. I've learned a lot.

SEP

Re: PLEASE PATCH YOUR SENDMAIL!

Berlene Herren — Tue, 04 Mar 2003 20:05:51 GMT

Steven, you sound like you have the HPUX boxes covered. If they do not receive mail, then they cannot be exploited by this vulnerability.

And it has been fun, hasn't it? :-)

Berlene

Re: PLEASE PATCH YOUR SENDMAIL!

Jeff Schussele — Tue, 04 Mar 2003 20:09:42 GMT

Hi Berlene,

I've done as Patrick & just stopped accepting mail on servers that don't need to.

But I have a question.
I understand that the exploit is message-oriented and MTAs will just merrily pass it along to its destination. But if the affected server resides behind solid firewalls, how does the system get exploited by the sender AFTER the buffer overflow? Can this thing capture files on internal servers & send them out to be examined or cracked?
I don't see this exploit as being able to affect FWs as well, or am I missing something here?
I guess the vulnerability could be exploited by internal personnel.....

I see the major, urgent problems on I-net facing & DMZ systems more so than well protected, internal systems.
Would you agree?

I don't wish to make light of the situation at all, but at the same time I don't want a "chicken little" syndrome spawning unnecessary fear levels. We're being subjected to far too much of this fear-mongering already outside of our work environments, wouldn't you think?

Rgds,
Jeff

Re: PLEASE PATCH YOUR SENDMAIL!

Steven E. Protter — Tue, 04 Mar 2003 20:16:03 GMT

I've just run a telnet 25 test.

My servers can accept mail directed at them from any workstation on my network.

This means I am vulnerable.

The good news is outside our department there are no users in the organization with near enough knowledge to exploit the problem.

SEP

Re: PLEASE PATCH YOUR SENDMAIL!

Robert Gamble — Wed, 05 Mar 2003 14:13:13 GMT

For visibilty, bouncing this back to the top!

Everyone, please make sure you are not vulnerable.

Re: PLEASE PATCH YOUR SENDMAIL!

John J Read — Wed, 05 Mar 2003 16:47:22 GMT

Thanks everyone! I've installed the fix on all of my servers and feel better. Made me look good to mgmt too!

I haven't seen an answer to this question in the documentation. In what manner is the priveleged access exploited. Is the intruder coming in via telnet after you've been hit or are they executing code as root via the received email message.

For instance, would there be a root entry in wtmp assuming the intruder didn't mess with this file? I understand all of the implications of a root level intruder covering up their trail. Just wondering if they are logging in or executing code. Either way, scary stuff.

Re: PLEASE PATCH YOUR SENDMAIL!

Pete Randall — Wed, 05 Mar 2003 16:58:10 GMT

John,

I was just reading my SANS Newsbites about this. Here's what they had to say:

--Sendmail Vulnerability Demonstrates New DHS Capabilities
(3 March 2003)
A vulnerability was reported in Sendmail that allows root access simply
by sending a specially crafted email. Action by the Department of
Homeland Security and affected vendors led to a coordinated program for
patch development, early warning for critical infrastructure industries
and government agencies, and broad information dissemination, while
maintaining secrecy until the
http://www.washingtonpost.com/wp-dyn/articles/A41859-2003Mar4.html http://www.cert.org/advisories/CA-2003-07.html
http://www.msnbc.com/news/880094.asp?0cv=CB10
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78991,00.html
http://news.com.com/2100-1009-990802.html
SANS web broadcast features people from sendmail.com, ISS,
SourceFire, and the SANS faculty experts answering questions about the
vulnerability, what systems are vulnerable, and what can be done to
protect Sendmail beyond patching. Also includes a brief discussion
of the new Snort vulnerability.
http://www.sans.org/webcasts/030303.php
Free, requires registration

I apologise for the truncation right before the list of URL's. That's the way SANS published it.

Pete

Re: PLEASE PATCH YOUR SENDMAIL!

Berlene Herren — Wed, 05 Mar 2003 17:09:02 GMT

Excellent information, Pete! Thanks so much for sharing this with the community.

Berlene

Re: PLEASE PATCH YOUR SENDMAIL!

Pete Randall — Wed, 05 Mar 2003 17:12:25 GMT

Berlene,

Glad to - this thing scares me!

Pete

Re: PLEASE PATCH YOUR SENDMAIL!

Edmund Ng — Thu, 06 Mar 2003 02:03:15 GMT

JP: From my experience, the only way to tell if you have the patched binary running is to run the following:

strings /usr/lib/sendmail | grep Dropped

You should get the following output:

Dropped invalid comments from header address

If your sendmail binary is not patched, you won't get any output.

This is true for patched sendmail binaries on all platforms (from what I can tell).

-- Edmund.