HPE Community
Operating System - HP-UX
1753604 Members
6421 Online
108797 Solutions
New Discussion юеВ

Re: PLEASE PATCH YOUR SENDMAIL!

 
SOLVED
Go to solution
Berlene Herren
Honored Contributor

тАО03-04-2003 05:36 AM

тАО03-04-2003 05:36 AM

PLEASE PATCH YOUR SENDMAIL!


This was reported by Dan Ingevaldson, team leader of X-Force research and development at ISS, who first discovered the vulnerability. http://www.linuxworld.com/go.cgi?id=741963

"What makes the new vulnerability particularly pernicious is that attackers would need to know little about the server they were attacking other than its Internet address.
It's quite a dangerous vulnerability because an exploit could be contained in the e-mail message itself. The attacker doesn't need to set up an elaborate system to launch the attack. They could just send an e-mail message to a server, and if the server is vulnerable the attack would be launched.

The combination of freely visible source code, a severe and remotely exploitable vulnerability, and an enormous installed base of vulnerable servers make the new Sendmail vulnerability an extremely high-value target for the hacking community, according to Ingevaldson.

That means that it is critical for affected organizations to patch their servers.

Once an exploit is published, all bets are off. The window of vulnerability has decreased. there have been some very robust powerful exploits released within a few months of the exploit being published, so if patching was not a big deal before, it is now."

See HPSBUX0302-246 SSRT3469 Potential Security Vulnerability in sendmail

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
0 Kudos
Reply
22 REPLIES 22
Steven E. Protter
Exalted Contributor

тАО03-04-2003 11:27 AM

тАО03-04-2003 11:27 AM

Re: PLEASE PATCH YOUR SENDMAIL!

What is the HP Patch Depot's designation?

Where is it an since I think it does not exist, when it it goiing to be ready.

All my sendmail updates have been from HP patch depots and I'm not going to screw things up by messing around with a gz file.

I've been very agressive at putting in patches and security_patch_check is run weekly and shows no necessary patches.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Pete Randall
Outstanding Contributor

тАО03-04-2003 11:30 AM

тАО03-04-2003 11:30 AM

Re: PLEASE PATCH YOUR SENDMAIL!

Steven,

Instructions are in the link which everyone has been pointing to. It is not in SD format (yet), however, it is very easy to install.

See:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xdd549c196a4bd71190080090279cd0f9,00.html


Pete

Pete
0 Kudos
Reply
Berlene Herren
Honored Contributor

тАО03-04-2003 11:31 AM

тАО03-04-2003 11:31 AM

Re: PLEASE PATCH YOUR SENDMAIL!

It is not a patch, it is a new binary.

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
0 Kudos
Reply
Jeff Schussele
Honored Contributor

тАО03-04-2003 11:35 AM

тАО03-04-2003 11:35 AM

Re: PLEASE PATCH YOUR SENDMAIL!

I agree that I would like to see the fix in a patch format ASAP.
If for no other reason than version control.
May sound trivial, but if you have *hundreds* of systems, tell me how one could easily tell if they're *all* patched or not?
IF it was a patch, this would be much, much easier.
So keep pushing for a patch ASAP, if you would please Berlene.

Thx,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО03-04-2003 11:38 AM

тАО03-04-2003 11:38 AM

Re: PLEASE PATCH YOUR SENDMAIL!

Better yet (and this is what I'm doing) if your machine is not a mail server, turn sendmail off. You don't HAVE to run sendmail in order to send mail from the server.
0 Kudos
Reply
Berlene Herren
Honored Contributor

тАО03-04-2003 11:39 AM

тАО03-04-2003 11:39 AM

Re: PLEASE PATCH YOUR SENDMAIL!

Patches are in the works, but they take more time :-) We wanted an immediate fix for this vulnerability.

Check for the JAG to confirm fix:

#what /usr/sbin/sendmail



8.9.3 / 10.20
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors, including Sendmail, Inc., and the Regents of the University of California. All rights reserved.
version.c 8.9.3.1 (Berkeley) 18/09/2001 (PHNE_25183+JAGae58098)

11.X / 8.11.1
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors, including Sendmail, Inc., and the Regents of the University of California. All rights reserved.
version.c 8.11.1 (Berkeley) - Revision 1.2+JAGae58098 - 2002/07/31

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
0 Kudos
Reply
John Poff
Honored Contributor

тАО03-04-2003 11:41 AM

тАО03-04-2003 11:41 AM

Re: PLEASE PATCH YOUR SENDMAIL!

Steve and Jeff,

I've already downloaded the patched sendmail executable and I've patched an 11.00 and an 11i box here. The instructions with the fix include a command to get the version of sendmail running on a box. Here is what I see before installing the sendmail binary [on an 11i box]:

Version 8.9.3 (PHNE_25184)

and here is what I see afterwards:

Version 8.9.3 (PHNE_26305+JAGae58098)


So there is a way to tell if the new binary has been installed or not. I agree that having it in a patch is nice, but it is also nice that HP has jumped on this issue and provided the fix so fast [many thanks to everyone involved please Berlene!]. It was nice this morning when the local Windows/Intel people started forwarding the sendmail stories to me via e-mail and I was able to tell them that we already knew about it and had the fix on hand thanks to HP. :)

JP

0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО03-04-2003 11:43 AM

тАО03-04-2003 11:43 AM

Re: PLEASE PATCH YOUR SENDMAIL!

I know how to do it.

I like being able to get my sendmail version from swlist

[5031#] swlist -l product | grep sendmail
PHNE_25184 1.0 sendmail(1m) 8.9.3 patch

I guess my question is to maintain this crutch, when is it coming out in SD format. Being behind a firewall and accepting no outside mail I judge my vulnerability as low.

The bad part is management here does watch cnn/msnbc and are already grumbling about this.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Berlene Herren
Honored Contributor

тАО03-04-2003 11:50 AM

тАО03-04-2003 11:50 AM

Re: PLEASE PATCH YOUR SENDMAIL!

Ah, but Steven, here is the nasty part of this vulnerability.

This vulnerability is message-oriented as opposed to connection-oriented, so internal systems are just as vulnerable to exploit as internet facing systems. That means that the vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the
vulnerability will pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable sendmail servers on the interior of a network are still at risk, even if
the site's border MTA uses software other than sendmail. Also, messages
capable of exploiting this vulnerability may pass undetected through many
common packet filters or firewalls.

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.