cancel
Showing results for 
Search instead for 
Did you mean: 

PLEASE PATCH YOUR SENDMAIL!

SOLVED
Go to solution
Berlene Herren
Honored Contributor

PLEASE PATCH YOUR SENDMAIL!


This was reported by Dan Ingevaldson, team leader of X-Force research and development at ISS, who first discovered the vulnerability. http://www.linuxworld.com/go.cgi?id=741963

"What makes the new vulnerability particularly pernicious is that attackers would need to know little about the server they were attacking other than its Internet address.
It's quite a dangerous vulnerability because an exploit could be contained in the e-mail message itself. The attacker doesn't need to set up an elaborate system to launch the attack. They could just send an e-mail message to a server, and if the server is vulnerable the attack would be launched.

The combination of freely visible source code, a severe and remotely exploitable vulnerability, and an enormous installed base of vulnerable servers make the new Sendmail vulnerability an extremely high-value target for the hacking community, according to Ingevaldson.

That means that it is critical for affected organizations to patch their servers.

Once an exploit is published, all bets are off. The window of vulnerability has decreased. there have been some very robust powerful exploits released within a few months of the exploit being published, so if patching was not a big deal before, it is now."

See HPSBUX0302-246 SSRT3469 Potential Security Vulnerability in sendmail

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
22 REPLIES
Steven E. Protter
Exalted Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

What is the HP Patch Depot's designation?

Where is it an since I think it does not exist, when it it goiing to be ready.

All my sendmail updates have been from HP patch depots and I'm not going to screw things up by messing around with a gz file.

I've been very agressive at putting in patches and security_patch_check is run weekly and shows no necessary patches.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Pete Randall
Outstanding Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Steven,

Instructions are in the link which everyone has been pointing to. It is not in SD format (yet), however, it is very easy to install.

See:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xdd549c196a4bd71190080090279cd0f9,00.html


Pete

Pete
Berlene Herren
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

It is not a patch, it is a new binary.

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Jeff Schussele
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

I agree that I would like to see the fix in a patch format ASAP.
If for no other reason than version control.
May sound trivial, but if you have *hundreds* of systems, tell me how one could easily tell if they're *all* patched or not?
IF it was a patch, this would be much, much easier.
So keep pushing for a patch ASAP, if you would please Berlene.

Thx,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Patrick Wallek
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Better yet (and this is what I'm doing) if your machine is not a mail server, turn sendmail off. You don't HAVE to run sendmail in order to send mail from the server.
Berlene Herren
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Patches are in the works, but they take more time :-) We wanted an immediate fix for this vulnerability.

Check for the JAG to confirm fix:

#what /usr/sbin/sendmail



8.9.3 / 10.20
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors, including Sendmail, Inc., and the Regents of the University of California. All rights reserved.
version.c 8.9.3.1 (Berkeley) 18/09/2001 (PHNE_25183+JAGae58098)

11.X / 8.11.1
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors, including Sendmail, Inc., and the Regents of the University of California. All rights reserved.
version.c 8.11.1 (Berkeley) - Revision 1.2+JAGae58098 - 2002/07/31

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
John Poff
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Steve and Jeff,

I've already downloaded the patched sendmail executable and I've patched an 11.00 and an 11i box here. The instructions with the fix include a command to get the version of sendmail running on a box. Here is what I see before installing the sendmail binary [on an 11i box]:

Version 8.9.3 (PHNE_25184)

and here is what I see afterwards:

Version 8.9.3 (PHNE_26305+JAGae58098)


So there is a way to tell if the new binary has been installed or not. I agree that having it in a patch is nice, but it is also nice that HP has jumped on this issue and provided the fix so fast [many thanks to everyone involved please Berlene!]. It was nice this morning when the local Windows/Intel people started forwarding the sendmail stories to me via e-mail and I was able to tell them that we already knew about it and had the fix on hand thanks to HP. :)

JP

Steven E. Protter
Exalted Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

I know how to do it.

I like being able to get my sendmail version from swlist

[5031#] swlist -l product | grep sendmail
PHNE_25184 1.0 sendmail(1m) 8.9.3 patch

I guess my question is to maintain this crutch, when is it coming out in SD format. Being behind a firewall and accepting no outside mail I judge my vulnerability as low.

The bad part is management here does watch cnn/msnbc and are already grumbling about this.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Berlene Herren
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Ah, but Steven, here is the nasty part of this vulnerability.

This vulnerability is message-oriented as opposed to connection-oriented, so internal systems are just as vulnerable to exploit as internet facing systems. That means that the vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the
vulnerability will pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable sendmail servers on the interior of a network are still at risk, even if
the site's border MTA uses software other than sendmail. Also, messages
capable of exploiting this vulnerability may pass undetected through many
common packet filters or firewalls.

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Steven E. Protter
Exalted Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Okay Berlene that actually makes me feel better.

Our email infrastructure is exchange oriented with a smtp relay server to route and handle inbound/outbound traffic. The smtp server is programmed under no circumstances to send any mail messages to our HP-UX servers.

When I send out a message off one of my UX servers and its to a bad address, I can't get the bounce, because of the configuration.

Obviously someone could mess with the Exchange or SMTP servers, but if they can't send mail to the UX boxes, is there a problem?

This has btw been a fascinating discussion. I've learned a lot.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Berlene Herren
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Steven, you sound like you have the HPUX boxes covered. If they do not receive mail, then they cannot be exploited by this vulnerability.

And it has been fun, hasn't it? :-)

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Jeff Schussele
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Hi Berlene,

I've done as Patrick & just stopped accepting mail on servers that don't need to.

But I have a question.
I understand that the exploit is message-oriented and MTAs will just merrily pass it along to its destination. But if the affected server resides behind solid firewalls, how does the system get exploited by the sender AFTER the buffer overflow? Can this thing capture files on internal servers & send them out to be examined or cracked?
I don't see this exploit as being able to affect FWs as well, or am I missing something here?
I guess the vulnerability could be exploited by internal personnel.....

I see the major, urgent problems on I-net facing & DMZ systems more so than well protected, internal systems.
Would you agree?

I don't wish to make light of the situation at all, but at the same time I don't want a "chicken little" syndrome spawning unnecessary fear levels. We're being subjected to far too much of this fear-mongering already outside of our work environments, wouldn't you think?

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Steven E. Protter
Exalted Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

I've just run a telnet 25 test.

My servers can accept mail directed at them from any workstation on my network.

This means I am vulnerable.

The good news is outside our department there are no users in the organization with near enough knowledge to exploit the problem.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Robert Gamble
Respected Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

For visibilty, bouncing this back to the top!

Everyone, please make sure you are not vulnerable.
John J Read
Frequent Advisor

Re: PLEASE PATCH YOUR SENDMAIL!

Thanks everyone! I've installed the fix on all of my servers and feel better. Made me look good to mgmt too!

I haven't seen an answer to this question in the documentation. In what manner is the priveleged access exploited. Is the intruder coming in via telnet after you've been hit or are they executing code as root via the received email message.

For instance, would there be a root entry in wtmp assuming the intruder didn't mess with this file? I understand all of the implications of a root level intruder covering up their trail. Just wondering if they are logging in or executing code. Either way, scary stuff.
Pete Randall
Outstanding Contributor
Solution

Re: PLEASE PATCH YOUR SENDMAIL!

John,

I was just reading my SANS Newsbites about this. Here's what they had to say:

--Sendmail Vulnerability Demonstrates New DHS Capabilities
(3 March 2003)
A vulnerability was reported in Sendmail that allows root access simply
by sending a specially crafted email. Action by the Department of
Homeland Security and affected vendors led to a coordinated program for
patch development, early warning for critical infrastructure industries
and government agencies, and broad information dissemination, while
maintaining secrecy until the
http://www.washingtonpost.com/wp-dyn/articles/A41859-2003Mar4.html http://www.cert.org/advisories/CA-2003-07.html
http://www.msnbc.com/news/880094.asp?0cv=CB10
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78991,00.html
http://news.com.com/2100-1009-990802.html
SANS web broadcast features people from sendmail.com, ISS,
SourceFire, and the SANS faculty experts answering questions about the
vulnerability, what systems are vulnerable, and what can be done to
protect Sendmail beyond patching. Also includes a brief discussion
of the new Snort vulnerability.
http://www.sans.org/webcasts/030303.php
Free, requires registration


I apologise for the truncation right before the list of URL's. That's the way SANS published it.

Pete

Pete
Berlene Herren
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Excellent information, Pete! Thanks so much for sharing this with the community.

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Pete Randall
Outstanding Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Berlene,

Glad to - this thing scares me!

Pete

Pete
Edmund Ng
Occasional Visitor

Re: PLEASE PATCH YOUR SENDMAIL!

JP: From my experience, the only way to tell if you have the patched binary running is to run the following:

strings /usr/lib/sendmail | grep Dropped

You should get the following output:

Dropped invalid comments from header address

If your sendmail binary is not patched, you won't get any output.

This is true for patched sendmail binaries on all platforms (from what I can tell).

-- Edmund.
Berlene Herren
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

#what /usr/sbin/sendmail

Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors, including Sendmail, Inc., and the Regents of the
University of California. All rights reserved. version.c 8.9.3.1 (Berkeley) 18/09/2001 (PHNE_25183+JAGae58098)
^^^^
Look for the JAG


Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Yogeeraj_1
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Dear Berlene,

Please allow me to share this information too:
============================================================
*SENDMAIL PATCHING CALLED URGENT
By Keith Regan
Computer experts warned that a Sendmail vulnerability discovered by Internet Security Systems (ISS) should be patched quickly, as there is evidence hackers are working to exploit the flaw.

The buffer-overflow vulnerability in the Mail Transfer Agent (MTA) of widely used Sendmail makes it possible for a hacker to gain control of mail servers.

The Computer Emergency Response Team (CERT) published an advisory Monday, urging that patches made available from Sendmail Inc. and others be applied.

CERT analyst Jeff Havrilla says reports from "reliable sources" indicate code is circulating that could lead to a widespread exploitation of the vulnerability.

The vulnerability has the distinction of being the first to be vetted by the Department of Homeland Security, says Dan Ingevaldson, team leader of X-Force R&D at ISS. Coordination with Homeland Security enabled key industries to receive advance notice as well.

"We felt this issue was important and critical enough to take it a step further," says Ingevaldson, who found the flaw last December. "All indications were no one else knew at the time."

While some fear more Sendmail flaws remain undiscovered, Ingevaldson says what matters most is how quickly patches are applied.

Havrilla agrees. "It's a race," he says. "Intruders are actively seeking to exploit this flaw." http://www.sendmail.org/8.12.8.html
http://www.sendmail.com/security/
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950


============================================================

Best Regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Kasper Haitsma
Trusted Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

when performing a check on the binairy with strings(1), make sure to include the -a option. In some binaries, the string "Dropped invalid comments from header address" will otherwise not be shown (8.11.1 for 11i is known for this)
It depends