OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
sendmail vuln advisories (CVE-2006-0058)

From: Marc Bejarano (bugtraqbeej.org)
Date: Wed Mar 22 2006 - 11:24:34 CST


the official advisory from http://www.sendmail.com/company/advisory/
===
Sendmail MTA Security Vulnerability

March 22, 2006

I. Overview

Sendmail, Inc. has recently become aware of a security vulnerability in
certain versions of sendmail Mail Transfer Agent (MTA) and UNIX and Linux
products that contain it. Sendmail was notified by security researchers at
ISS that, under some specific timing conditions, this vulnerability may
permit a specifically crafted attack to take over the sendmail MTA process,
allowing remote attackers to execute commands and run arbitrary programs on
the system running the MTA, affecting email delivery, or tampering with
other programs and data on this system. This vulnerability is being
tracked as CVE-2006-0058 and can be found at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058.

Sendmail is not aware of any public exploit code for this
vulnerability. This connection-oriented vulnerability does not occur in
the normal course of sending and receiving email. It is only triggered
when specific conditions are created through SMTP connection layer commands.

Sendmail has confirmed the technical issue exposing this vulnerability and
is providing patches that resolve it in our open source and commercial
products. Sendmail has also alerted CERT® Coordination Center (CERT/CC),
who has notified US-CERT.
In close coordination with CERT/CC and Internet Security Systems (ISS),
Sendmail has taken the following actions:

          1. Implemented and certified software patches for open source
sendmail MTA versions 8.12 and 8.13
          2. Implemented and certified software patches/upgrades for
impacted commercial Sendmail products
          3. Worked with ISS to validate the developed patches and assure
their effectiveness
          4. Collaborated with CERT/CC to notify and provide other vendors
who use the sendmail MTA with the required source code patches

II. Impact

Within certain operating system architectures, a remote attacker may be
able to force certain timing conditions that would allow execution of
arbitrary code or commands on a vulnerable system. Systems running an MTA
are typically deployed in the DMZ as a gateway for delivering inbound and
outbound email, though they may also be used for internal email delivery
between systems or applications. In the case of a compromised system, an
attack could lead to exposure, deletion, or modification of programs and
data on the affected system, interference with or interception of email
delivery, and potentially unauthorized access to other systems in the
network. Systems running any of the following software are considered
vulnerable:
Open Source

          1. Sendmail 8.13.5 and earlier versions

Sendmail Commercial Products

          1. Sendmail Switch, Managed MTA, and Multi-Switch v 3.1.7 and
earlier for Solaris, Linux, AIX, and HP-UX
          2. Sendmail Sentrion 1.1 Appliance
          3. Sendmail Advanced Message Server and Message Store v 2.2 and
earlier for Solaris, Linux, AIX, and HP-UX
          4. Intelligent Quarantine 3.0 for Solaris and Linux

3rd Party Products Containing the MTA

Sendmail working with CERT/CC has notified affected vendors and provided
them with source code patches to sendmail MTA 8.12 and 8.13 for use in
their affected products. CERT/CC will publish specific vendor information
on the availability of customer patches.
III. Mitigation and Solution
Mitigation - Enable the RunAsUser option

The impact of this vulnerability can be reduced by setting the RunAsUser
option in the configuration file. Details are available in Sendmail’s
Knowledgebase article S10621 at
https://www.sendmail.com/cfusion/CFIDE/kb_doc.cfm?kb_id=S10621 or in this
PDF document http://www.sendmail.com/company/advisory/runasuser.pdf. It is
a good security practice to limit the privileges of applications and
services whenever possible. Setting the RunAsUser option will limit
privileges available to a remote attacker to those of a non-root user.
Solution – Upgrade or Apply a Patch

On March 22, 2006, Sendmail has released to all customers patches/upgrades
to the current version of the affected products. Customers with versions
of the product that are not supported will be provided with an upgrade to
the most current version of the software and the related patch. Sendmail
is also notifying customers without support of a special opportunity to
renew their support agreement.
The following table summarizes recommended actions by product version and
platform.

<see original advisory for table>

Customers with current support agreements can review Knowledgebase entries
posted for all of the above products at
http://www.sendmail.com/customerlogin/. With any additional questions,
please contact Sendmail Technical Support by logging a case
online. Customers without login to Knowledgebase can review this
information at http://www.sendmail.com/support/.

Customers without current support agreements are advised of the following
special support opportunities:

    1. For customers who re-instate lapsed support agreements by April
28th, 2006 by purchasing current product version and one year support,
Sendmail will waive the re-instatement fee normally charged for lapsed time.

Customers re-instating their support are entitled to future product
upgrades, including Switch/Multiswitch 3.2 (planned for availability in
April 2006) with the following enhancements:

    1. Integration of sendmail MTA 8.13 with support for a number of new
threat protection and management features
    2. Flow Control reporting and monitoring integrated in Switch UI for
individual systems or the entire cluster
    3. Asynchronous deployment and monitoring across all cluster members,
enabling these activities to run in parallel
    4. DKIM signing of outgoing email and DK/DKIM validation of incoming
email, enabling classification of validly signed, forged, or unsigned
messages to reduce the risk of phishing and spoofing
    5. Customers may request a limited technical support option for
assistance with upgrading to Switch 3.1 product version. This email-only
support option is available free of charge until April 28th, 2006 and for a
one time charge of $949.00 thereafter.

To take advantage of these limited time support opportunities, please
contact Sendmail by phone (see numbers below) or by email to
customerservicesendmail.com to request one of these options.

Phone contact information:
<see original advisory for table>

* If this is your first time accessing Sendmail's support system since
February 6th, 2006, you will need to set up a new password. Please follow
these steps:

    1. Visit https://www.sendmail.com/cfusion/CFIDE/nupw.cfm
    2. Enter your email address and select the "Submit" button.
    3. An email message containing a temporary password will be sent to
your email address. Follow the instructions in that message to create a
permanent password.

IV. FAQ

How was this issue discovered?

Sendmail was recently notified by security researchers at ISS that they
discovered certain timing conditions that may permit a specifically crafted
attack to take over the sendmail MTA process.
How difficult would it be for someone to exploit this theoretical
vulnerability?

This requires creating very specific timing conditions using SMTP
connection layer commands and delivering specific email payload. Someone
with specific network programming skills would be required to create a
successful exploit.
Has anyone been impacted by this?

No, this is a theoretical vulnerability that does not occur during the
normal course of sending and receiving email. Sendmail is not aware of any
public exploits for this issue on the Internet.
What should a user look for to know if they have been impacted?

There are no known exploits with specific trails that a user could look for
at this time.
What could happen if someone does exploit this?

In theory, the attacker may gain the privileges of the sendmail process
running on a system and run arbitrary commands and code, subject to those
privileges. This could allow someone to interfere with email delivery,
tamper with other programs and data on the systems, or try to gain access
to other systems on the same network.
Are sendmail MTAs behind my firewall vulnerable?

Most vulnerable MTAs are the ones that are directly accessible to the
outside world. These are gateway MTAs that are directly connected to the
Internet or are behind a firewall that allows port 25 traffic to pass
through. These servers should be patched first. An MTA deployed on an
internal network is not vulnerable to an outside attack, but could be
affected by an attack launched from the internal network.
Is this a recently introduced problem, or has it been present for some time?

This problem has been present for some time, and it has only recently been
discovered through some very specific conditions created in the lab.
Has Sendmail had similar security issues in the past?

Previous to this issue Sendmail had a few issues raised in 2003, which
where quickly addressed. Although this type of occurrence is not uncommon
in the industry, Sendmail has established procedures to quickly and
pro-actively respond to security issues. ISS has complimented Sendmail for
our quick and comprehensive response, welcoming our efforts to not only
resolve the reported issue, but to deploy additional resources to review
and update any related code.
What are you doing to notify affected users?

Sendmail has worked with CERT/CC to manage the communications process for
affected vendors, whose products may be based on the sendmail MTA
software. We are also notifying the open source community and our
commercial customers about this issue and immediate availability of patches
and upgrades to correct it.
What should users do until they can install the patches?

Users of sendmail MTA should ensure that they use the RunAsUser
configuration option in their environment to reduce the scope of privileges
available to the sendmail process. While this doesn’t close the
vulnerability, it reduces the impact of any potential exploitation.
What should the users do to request the patches?

Sendmail is notifying our commercial customers about the patches for
specific product releases and platforms and providing the information on
how to download and obtain these patches or upgrades.
Open source users can get patches from ftp://ftp.sendmail.org/pub/sendmail/
and should also subscribe to sendmail-announce mailing list for any other
updates by sending mail to sendmail-announce-requestlists.sendmail.org.
What about 3rd party vendors using the sendmail MTA?

Sendmail has worked with CERT/CC to notify the vendors and provide source
code patches. Please monitor CERT/CC vulnerabilities page at
http://www.cert.org/nav/index_red.html for updates on patch availability
from other vendors.
What versions of the Open Source sendmail MTA are affected?

Versions of the MTA prior to 8.13.5 are affected by this issue. Open
source patches are available for 8.12 and 8.13 versions as 8.12.11.20060308
and 8.13.6. The Sendmail Consortium strongly suggests that users upgrade to
8.13.6. Please refer to http://www.sendmail.org/8.13.6.html for more details.
How important is this issue, how quickly should I plan to upgrade?

Sendmail’s threat assessment of this issue is Risk: Medium; Impact:
High. Sendmail recommends that customers plan to upgrade their externally
accessible MTAs as part of their regularly scheduled maintenance, followed
by upgrade to any internal MTAs at a convenient time.
Is this issue related to the recent OpenSSL security advisory?

No, this vulnerability is not related to OpenSSL advisory CAN-2005-2969
(Potential SSL 2.0 Rollback). However, the Switch 3.1.8 cumulative patch
also provides an upgrade to OpenSSL that addresses the issue documented in
that advisory.
What are all the new changes included in the 3.1.8 patch?

This patch is cumulative to Switch 3.1.7 patch, and includes the following:

          1. Changes to the sendmail MTA binary to resolve this vulnerability
          2. A few additional MTA fixes to resolve customer issues
          3. Upgrade of 3rd party packages, including:
                1. OpenSSL is upgraded to version 0.9.6m and includes a fix
for CAN-2005-2969 (Potential SSL 2.0 Rollback).
                2. Apache is upgraded to version 1.3.34.
                3. Mod SSL upgraded to 2.8.25-1.3.34.

How can I verify this is a legitimate security advisory?

Customers can contact Sendmail Technical Support as listed on
http://www.sendmail.com/support/contact/ to verify the authenticity of this
advisory. The email notification sent to Sendmail customers is signed with
PGP, using Sendmail, Inc. Security Officer PGP key, available at:
http://www.sendmail.com/security/security-officer.asc. In addition, a PGP
signed copy is available for download at:
http://www.sendmail.com/company/advisory/index.shtml, signed with the same key.
===

the advisory from the discoverers from
http://xforce.iss.net/xforce/alerts/id/216
===
Internet Security Systems Protection Advisory
March 22, 2006

Sendmail Remote Signal Handling Vulnerability

Summary:

ISS has shipped protection for a flaw X-Force has discovered in
the Sendmail server software. By sending malicious data at certain
time intervals, it is possible for a remote attacker to corrupt arbitrary
stack memory and gain control of the affected host.

ISS Protection Strategy:

ISS has provided preemptive protection for these vulnerabilities. We
recommend that all customers apply applicable ISS product updates.

Network Sensor 7.0 and Proventia A:
XPU 24.29 / 2/14/06
SMTP_Timeout_Bo

Proventia G100/G200/G1000/G1200 prior to Firmware Version 1.2:
XPU 24.29 / 2/14/06
SMTP_Timeout_Bo

Proventia G100/G200/G1000/G1200/G400/G2000 Firmware Version 1.2 or
later:
XPU 1.68 / 2/14/06
SMTP_Timeout_Bo

Proventia M:
XPU 1.68 / 2/14/06
SMTP_Timeout_Bo

Server Sensor 7.0:
Buffer Overflow Exploit Protection (BOEP)
XPU 24.29 / 2/14/06
SMTP_Timeout_Bo

Proventia Server:
Buffer Overflow Exploit Protection (BOEP)
Version 1.0.914.300 / 2/14/06
SMTP_Timeout_Bo

Proventia Desktop:
Buffer Overflow Exploit Protection (BOEP)
Version 8.0.675.1200 / 2/14/06
SMTP_Timeout_Bo

RealSecure Desktop 7.0:
Version EOZ / 2/14/06
SMTP_Timeout_Bo

BlackICE Agent for Server 3.6:
Version EOZ / 2/14/06
SMTP_Timeout_Bo

BlackICE PC Protection 3.6:
Version COZ / 2/14/06
SMTP_Timeout_Bo

BlackICE Server Protection 3.6:
Version COZ / 2/14/06
SMTP_Timeout_Bo

These updates are now available from the ISS Download Center at:
http://www.iss.net/download.

Business Impact:

Compromise of networks and machines using affected versions of Sendmail
may lead to exposure of confidential information, loss of productivity,
and further network compromise. An attacker does not need to entice any
kind of user interaction to trigger this vulnerability.
Successful exploitation would grant an attacker the privileges that the
sendmail server daemon is running with.

Affected Products:

Sendmail 8.13.X – all versions

Note: SendmailX is NOT affected by this vulnerability.

Description:

Sendmail is a popular SMTP server daemon used on mail gateways and
forwarders to route and deliver email. It is primarily used in
UNIX server environments, although versions exist for Windows as well.

Sendmail contains a signal race vulnerability when receiving and
processing mail data from remote clients. Sendmail utilizes a signal
handler for dealing with timeouts that is not async-safe and interruption
of certain functions by this signal handler will cause static data
elements to be left in an inconsistent state. These data elements can be
used to write data to invalid parts of the stack (or heap in some
scenarios), thus taking control of the vulnerable process.

In order to exploit this vulnerability, an attacker simply needs to be
able to connect to sendmail SMTP server. This is a multi-shot exploit,
meaning the attacker can attempt to exploit it an indefinite amount
of times, since sendmail spawns a new process for each connected
client.

The ISS X-Press Updates detailed above have the ability to protect
against attack attempts targeted at Sendmail.

Additional Information:

Sendmail Security Bulletin:
http://www.sendmail.org/8.13.6.html

Credit:

This vulnerability was discovered and researched by Mark Dowd of the ISS
X-Force.

______

About Internet Security Systems, Inc.
Internet Security Systems, Inc. (ISS) is the trusted security advisor
to thousands of the world’s leading businesses and governments,
providing preemptive protection for networks, desktops and
servers. An established leader in security since 1994, ISS’
integrated security platform automatically protects against both
known and unknown threats, keeping networks up and running and
shielding customers from online attacks before they impact business
assets. ISS products and services are based on the proactive
security intelligence of its X-Force® research and development
team – the unequivocal world authority in vulnerability
and threat research. ISS’ product line is also complemented
by comprehensive Managed Security Services. For more information,
visit the Internet Security Systems Web site at www.iss.net
or call 800-776-2362.
===