Sendmail DNS flaw could lead to DoS attacks

Get the details of a flaw in Sendmails DNS handling, which can allow a hacker to trigger a DoS event.

The widely used open source Sendmail Mail Transfer Agent (MTA) has been reported to be vulnerable to a denial of service (DoS) attack if an attacker sends a malformed DNS reply packet. The DNS code in Sendmail is at fault.

See the FreeBSD-SA-03:11.sendmail security advisory for more details. The advisory describes the problem as follows:

"Calling 'free()' on an uninitialized pointer may result in a sendmail child process crashing. It may also be possible for an attacker to somehow influence the value of the 'uninitialized pointer' and cause an arbitrary memory chunk to be freed. This could further lead to some other exploitable vulnerability, although no such cases are known at this time."

A report describes the situation like this: "There is a potential problem in sendmail 8.12.8 and earlier sendmail 8.12.x versions with respect to DNS maps. The bug did not exist in versions before 8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9, released March 29, 2003."

This flaw has been assigned the universal Mitre designation of CAN-2003-0688, but there was no further information at the Mitre site at the time this article was published.

The FreeBSD organization has reported that Sendmail versions 8.12.0 through 8.12.8 are vulnerable to this remote DoS attack. Sendmail 8 is the default MTA for FreeBSD, so this applies to most recent FreeBSD versions.

Versions 8.0, 8.1, and 8.2 of SuSE Enterprise Server 8 contain vulnerable versions of Sendmail. See the SuSE Linux Security Announcement SuSE-SA:2003:035 for additional details. Other Linux and UNIX distributions that are running the affected versions of Sendmail 8.12.x are also potentially vulnerable to this flaw.

Risk level—serious
This vulnerability can lead to a DoS attack against a targeted Sendmail server, and it can be remotely exploited by a hacker, so it needs to be taken seriously.

Fix—upgrade Sendmail or patch
There is no workaround for this vulnerability other than to avoid the use of DNS maps, which is not very practical in most cases. Therefore, to mitigate this threat, you need to upgrade or patch your Sendmail systems.

Specific patches will be available for many individual Linux and UNIX distributions. For example, a patch is available for FreeBSD 5.0, 4.8, 4.7, and 4.6 systems. Version 8.12.9 is not vulnerable to this attack, so upgrading to that version or later will eliminate the risk.

What describes as a "trivial" patch is also available in the Sendmail report on this vulnerability.

Also watch out for…
  • SoBig.F isn't dead; it's just dormant. Romanian-based security company Softwin SRL says there are already variants out there in the wild that target different IP addresses (including one aimed at Time-Warner's servers). Many security specialists note the fact that SoBig.F appears to be scheduled to die on Sept. 10, leading to concerns that a major new attack could be scheduled for Sept. 11. If nothing else, make sure that you explicitly block port 8998 on your firewall(s).
  • Debian Security Advisory DSA 374-1 says that a buffer overflow can be caused by the use of an extra-long password sent to the PAM authentication module and recommends that users update the libpam-smb package. The problem has already been fixed in version 1.1.6-1.1woody1.
  • Hewlett-Packard says a Tru64 SSH vulnerability can lead to system compromise. The bulletin reports that HP Tru64 UNIX 5.1B PK2 (BL22) and HP Tru64 UNIX 5.1A (all Base Levels) are affected. An update is already available for Tru64 UNIX 5.1A, and 5.1B will be fixed in the forthcoming aggregate patch kit, PK3. The problem lies in the way SSH handles RSA signatures. The workaround for version 5.1B is to use the default public key algorithm DSA. Since this is the default, just don't use the –t option or explicitly select it using "# ssh-keygen2 -t dsa."
  • Microsoft has updated MS03-030, "Unchecked Buffer in DirectX," (originally posted on July 23) with patches for additional DirectX versions. According to ZDNet, Microsoft is now urging users to make the required update because exploits of this vulnerability may be the next major threat to Windows systems—potentially more dangerous than the flaws exploited by the recent SoBig and Blaster attacks.
  • Turbolinux Server versions 6.1, 6.5, 7, and 8, along with Advanced Server 6 and Workstation versions 6.0, 7, and 8, contain multiple vulnerabilities in the GNOME display manager as well as a Perl cross-scripting vulnerability. Turbolinux users should check the vendor site for updates.
  • E-week reports that Microsoft SQL server databases are being attacked by a worm called Voyager Alpha Force, which is apparently not the same as the worm of a similar name that appeared a few years ago. The new worm searches for port 1433 (the default port for SQL Server) and attempts to log on with a blank password.


Editor's Picks