In my March 17 column, I addressed a major vulnerability in Sendmail. No sooner had administrators begun to follow the recommendations of the Sendmail Consortium to upgrade to version 8.12.8, when Michal Zalewski reported another critical vulnerability in the Sendmail prescan() procedure. This vulnerability applies to all versions of Sendmail prior to and including version 8.12.8.

According to the CERT report CA-2003-12, “Buffer Overflow in Sendmail,” the newest Sendmail problem results from faulty address parsing that fails to check the length of e-mail addresses. The Mitre Common Vulnerability designation for this most recent Sendmail flaw is CAN-2003-0161.

Zalewski’s notification to Sendmail on March 18 indicated that the “address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application.” reports that someone posted this exploit to a public list, forcing them to take the unusual step of releasing the new version over a weekend.

The Symantec report on this vulnerability includes an exhaustive list of versions and platforms that are affected, but basically any version of Sendmail prior to 8.12.9 is vulnerable.

CERT lists the following versions that are specifically vulnerable to this threat:

  • Sendmail Pro (all versions)
  • Sendmail Switch 2.1 prior to 2.1.6
  • Sendmail Switch 2.2 prior to 2.2.6
  • Sendmail Switch 3.0 prior to 3.0.4
  • Sendmail for NT 2.X prior to 2.6.3
  • Sendmail for NT 3.0 prior to 3.0.4
  • Open source versions of Sendmail prior to 8.12.9

Except for indexing the version numbers by one, this is the same list published in the March 17 Locksmith column. So if you were affected by that vulnerability, you are also at risk for this threat even if you followed the procedures to upgrade to Sendmail version 8.12.8.

Risk level—critical
The Sendmail Consortium rates this as a “critical” threat. The story on this threat points out that Sendmail processes 60 to 70 percent of the world’s e-mail, which makes it a potentially widespread threat as well.

Unfortunately, Sendmail is enabled by default in most Linux and UNIX distributions. Even worse, because the attack vector lies in the malformed messages to which only Sendmail is susceptible, messages can pass through other mail software and still attack a Sendmail-based server on a company network not attached directly to the Internet.

Exploiting this vulnerability can allow an attacker to run arbitrary code on the penetrated system and, because the Sendmail daemon normally runs with root privileges, this is a very serious threat. An attack utilizing this vector could also result in a denial of service attack.

Fix—upgrade or patch
Full details of the changes made in Sendmail with the release of version 8.12.9 are provided on the Sendmail site, and open source users should go there or to the page on patching Sendmail. The changes, of course, aren’t limited to those necessary to address this new vulnerability.

No workaround is listed for this vulnerability, but according to the Sendmail Security Alert page, “The patch is an easy install, and should only take a few minutes per system.”

Customers of the commercial Sendmail Inc. version of the product can obtain the patch here. For those who are running any version of Sendmail Switch, Sendmail Inc. is providing free upgrades to Sendmail Switch 2.2. Sendmail Switch customers who have already upgraded to fix the March 3 bug in Sendmail can simply download and apply the patch from here.

Patches are not available for Sendmail versions prior to 8.9, but those versions are also reported by Sendmail to be vulnerable. Those running these earlier versions will need to upgrade.

Final word
It’s certainly distressing that two major problems have been found in Sendmail in fewer than 30 days. But the Sendmail Consortium appears to be right on top of new threats and is responding quickly.