Sendmail Flaw Puts Millions of Mail Servers at Risk

A flaw in the popular Sendmail Mail Transfer Agent could let attackers gain root privileges on affected machines.

Researchers have discovered a critical new security vulnerability that places millions of mail servers all over the Internet at risk of compromise. The flaw is in the immensely popular Sendmail Mail Transfer Agent and could enable an attacker to gain root privileges on affected machines.

The vulnerability affects Sendmail versions 5.79 through 8.12.7 on Unix and Linux machines.

The problem occurs when the Sendmail MTA processes and evaluates header fields in SMTP e-mails. When the software encounters a field that contains e-mail addresses or lists of addresses, it tries to evaluate whether the addresses are valid. To do this, Sendmail uses the crackaddr() function. The server uses a static buffer to store the data that has been processed and when the buffer is full, it stops adding characters to the buffer.

Sendmail uses several separate security checks in order to make sure it is parsing the characters correctly, and one of these checks contains a vulnerability, according to an advisory published by Internet Security Systems Inc.s X-Force research team, which discovered the flaw.

In order to exploit this issue, the attacker need only send an e-mail with a specially formatted address field, which would trigger an overflow of the buffer in question. This would give the attacker unrestricted privileges on the compromised machine. Typical protection technologies such as firewalls, intrusion detection systems and others would have no effect on this attack because it would come in looking just like any other e-mail message.

The discovery of this vulnerability became an early and important test for the new Department of Homeland Security, which became fully operational on March 1. When researchers at ISS in Atlanta realized the nature and scope of the weakness in Sendmail, they called both the Office of Cyberspace Security at the White House and Homeland Security on Feb. 14. After verifying the researchers data, the government and ISS both began calling affected vendors, alerting them to the problem.

While the vendors worked on patches, DHS officials began calling around Washington informing experts at the Department of Defense, FedCIRC and the Federal CIO Council of the Sendmail vulnerability, said Alan Paller, director of research at The SANS Institute in Bethesda, Md., who was involved in the early notifications. Together with the vendors, these groups and the ISS hashed out a timetable for releasing the vulnerability advisory and the patches.