Sendmail Vulnerability Threatens E-Mail Servers

A glitch in the open-source e-mail application may allow outsiders to take over computers running the software, according to security researchers and the Sendmail Consortium.

A significant vulnerability has been discovered in the Sendmail open-source e-mail application that could allow attackers to take over control of any devices running the affected software.

The flaw, first reported by security researchers at Atlanta-based Internet Security Systems, is present in Sendmails e-mail server software and could be exploited by someone sending malicious data to a computer running the software at specific time intervals, ISS said.

If exploited in such a manner by an outsider, the flaw could allow the attacker to corrupt the applications memory and gain control of the device.

Sendmail Consortium, which oversees development of non-commercial versions of the e-mail software, released an updated version of the application that includes a security patch meant to fix the flaw.

The group cautioned all users of the Sendmail 8 version of the product to move to the new iteration, Version 8.13.6.

/zimages/2/28571.gifClick here to read about e-mail security offerings from SonicWall.

Users of Version 8.12.11 can apply the patch separately, but Sendmail Consortium said the fix would not work with earlier versions and indicated that the update could cause those versions to malfunction.

The affected e-mail server software is a descendant of the original ARPAnet delivermail application and remains one of the most popular forms of MTA (mail transfer agent) used in the world. Sendmail Consortium contends that its Web server platform currently handles roughly 70 percent of the worlds e-mail traffic.

/zimages/2/84833.gifIs outsourcing e-mail security right for your organization? Ziff Davis Media eSeminars invites you to learn about the security and management challenges facing e-mail technology implementers and decision makers from Tumbleweed on March 28 at 2 p.m. ET.

Sendmail Inc., which markets commercial versions of the software, said the flaw affected its Sendmail Switch, Managed MTA, Multi-Switch v 3.1.7 and earlier versions, and its Sentrion 1.1 appliance. The glitch also affects its Advanced Message Server, Message Store v 2.2 and Intelligent Quarantine 3.0 applications.

Researchers said that once an attacker gains control of a machine harboring the vulnerability, it is possible that the attacker could then infiltrate a corporate network the exploited computer is connected to. ISS noted that the attacker would not need to trick the computers user in any way to take advantage of the flaw.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.