Researchers have discovered a critical new security vulnerability that places millions of mail servers all over the Internet at risk of compromise. The flaw is in the immensely popular Sendmail Mail Transfer Agent and could enable an attacker to gain root privileges on affected machines.
The vulnerability affects Sendmail versions 5.79 through 8.12.7 on Unix and Linux machines.
The problem occurs when the Sendmail MTA processes and evaluates header fields in SMTP e-mails. When the software encounters a field that contains e-mail addresses or lists of addresses, it tries to evaluate whether the addresses are valid. To do this, Sendmail uses the crackaddr() function. The server uses a static buffer to store the data that has been processed and when the buffer is full, it stops adding characters to the buffer.
Sendmail uses several separate security checks in order to make sure it is parsing the characters correctly, and one of these checks contains a vulnerability, according to an advisory published by Internet Security Systems Inc.s X-Force research team, which discovered the flaw.
In order to exploit this issue, the attacker need only send an e-mail with a specially formatted address field, which would trigger an overflow of the buffer in question. This would give the attacker unrestricted privileges on the compromised machine. Typical protection technologies such as firewalls, intrusion detection systems and others would have no effect on this attack because it would come in looking just like any other e-mail message.
The discovery of this vulnerability became an early and important test for the new Department of Homeland Security, which became fully operational on March 1. When researchers at ISS in Atlanta realized the nature and scope of the weakness in Sendmail, they called both the Office of Cyberspace Security at the White House and Homeland Security on Feb. 14. After verifying the researchers data, the government and ISS both began calling affected vendors, alerting them to the problem.
While the vendors worked on patches, DHS officials began calling around Washington informing experts at the Department of Defense, FedCIRC and the Federal CIO Council of the Sendmail vulnerability, said Alan Paller, director of research at The SANS Institute in Bethesda, Md., who was involved in the early notifications. Together with the vendors, these groups and the ISS hashed out a timetable for releasing the vulnerability advisory and the patches.
Officials at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh were also informed on the issue, and they sent early notifications to the affected Linux and BSD developers. By late the next week, it had become clear that not all of the smaller vendors would be able to produce their patches in time for the release of the advisory the following week, Paller said. But officials worried that delaying the release might give crackers a head start if any of them had caught wind of the flaw.
However, researchers at ISS reported that none of their sensors had picked up any active exploitation of this vulnerability, nor had there been any chatter about it on the cracker discussion groups. Eventually, the group decided to delay the advisorys release until March 3. In the interim, the available patches were given to the Department of Defense and deployed on vulnerable military servers.
Late last week, other government and military groups in the United States and abroad were given advance notice of the vulnerability to prepare them for the patches release the following Monday. The group also informed the CIOs of all of the Cabinet-level departments and the heads of the Information Sharing and Analysis Centers.
Experts estimate that Sendmail handles upward of 50 percent of the mail traffic on the Internet and it is distributed in various forms by numerous vendors. IBM, Apple Computer Inc., Hewlett-Packard Co. and Sun Microsystems Inc. all distribute Sendmail with some of their products, but not all of them are affected by this vulnerability. All of the affected vendors have been notified of the issue.
The Sendmail Consortium, which maintains the open-source version of the server, has released an updated version, 8.12..8, which fixes this vulnerability. Sendmail Inc., which sells a commercial version, has released a patch for its product, available on the companys Web site.
(Editors Note: This story was updated since its original posting to include the governments role in patching the flaw.)
For more information on patches for the flaw, check out:
Serious Vulnerability In Sendmail (Security Supersite)
Latest Security News:
Search for more stories by Dennis Fisher.
Find white papers on security.