Sendmail flaw opens door to intruders

A correction was made to this story. Read below for details.

A serious flaw exists in certain versions of the popular Sendmail open-source and commercial e-mail software, but fixes are available, researchers said Wednesday.

The vulnerability, which was reported by Mark Dowd at Internet Security Systems, could allow a remote attacker to take control of an e-mail server. To do this, the intruder would send arbitrary code at carefully crafted time intervals to the SMTP mail server, according to alerts from security providers ISS and FrSirt.

An attack could interfere with or intercept mail delivery, permit the intruder to tamper with other programs and data on the vulnerable system, and potentially provide access to other systems on the affected machine's network.

The flaw relates to all Linux- and Unix-based versions of Sendmail 8 up to version 8.13.5, but not Microsoft Windows varieties of the open-source software, said the Sendmail Consortium, which oversees the project. Affected products put out by Sendmail Inc., which sells a commercial version, include Sendmail Switch, Sentrion and Advanced Message Server, according to a company alert.

Sendmail software delivers 70 percent of the world's e-mail messages, according to the consortium's estimates.

"Since SMTP is one of the few listening services allowed consistently through perimeter firewalls, we expect that many attackers will focus their efforts on developing techniques to exploit the vulnerability in order to gain entry into corporate and government networks," considered to be major Sendmail users, said Gunter Ollmann, director ISS's X-Force research team.

The threat analyst team at Symantec categorized the vulnerability as critical, meaning it has a significant chance of widespread exploitation.

A Sendmail Inc. representative said Wednesday that no exploits for the vulnerability have been reported, and noted that the flaw has been detected in the lab only.

However, the Sendmail Consortium strongly urged open-source users to upgrade to version 8.13.6 of the software, which contains a fix and is available through its Web site. Patches for two older versions of the software are also available for download, but the group discouraged that tactic, warning that the patches may not work properly.

For people who use the commercial software, a complete rundown of recommended actions is available through the Sendmail company advisory.

The incident isn't the first problem for the widely used software. Security researchers in 2003 identified a series of vulnerabilities.

 

Correction: This story incorrectly described what kind of system was at risk from an attack based on the Sendmail flaw. An intruder could take over e-mail servers using the flaw.

[jasred]

Fascinating!

Does this mean that Windows is more secure than Linux? How can this be true? All the 'nix gurus have been shouting to the roof tops for years that Windows is inherently more insecure than Linux and of course they are the experts!

The same application on two different OSs - one can be breached the other can't - can someone explain technically how this is possible :-)? (I suspect I know but I'd love to hear from the anti-MS mobbility).

[mwa423]

As usual, you don't understand the difference between an OS and a program

Windows and Linux are operating systems. Name the last serious hole in the linux kernel. Windows is an operating system, name the last serious hole....3 come to mind in the past year, the rpc hole, the lsass hole, and the wmf hole.

This is a program running on windows and linux that has a hole. It is not windows, it is not linux. Linux is, was, and will continue to be more secure then windows. I'm not exactally impressed with Microsoft's promises to have strong security in vista, wasn't XP supposed to be the end of all computer viruses?

Though...I should note, my computer is Windows XP SP2 (though, behind a router/hardware firewall, software firewall, and has 2 anti virus programs/anti spyware running at all times).

[Johnny Mnemonic]

Not to be to pendantic...

But, this is a "potential security vulnerability"
rather than an actual exploit. There is a
difference. Considering this fact and the fact that
server processes on Linux have context isolation,
this is not a Linux vulnerability, rather an
application vulnerability. Much like an Oracle
vulnerability would not be considered a Windows
vulnerability even though it is more likely to
be exploitable on Windows because of its architecture. I personally have migrated most of
my clients to "postfix" since it is better engineered.
Sendmail has always had a bad reputation. It is
generally considered a bit of a hack even after
it has been completely re-written in the last few
years.

[shantanu77]

Hand that runs 70% of world emails

This is a critical issue, Extremely critical issue. The problem is 70% of world emails are sent through sendmail.
The enormous number of servers shall give extremely good reason for a cracker to create such codes.

I think if internet community do not take it seriously this flaw can be bigger trouble than Melisa, nimda or code-red.

~Shantanu
http://godisnear.blogspot.com

[Johnny Mnemonic]

Easy there chief

Unless you are running a very old Linux or even
Unix distribution it will not effect your email.
The rest, well it is inevitable that these systems
would be hit, thin the herd.

[thedreaming]

fixes already available

If fixes are already available for this problem, why is this even news? Just make the necessary changes and move on.

[aabcdefghij987654321]

Fixes have to be installed to be useful

That's why it's news. People who use Sendmail need to know there are fixes they'd better have and soon which makes a very good reason for this article.

[Johnny Mnemonic]

Curious

Why is this considered a Linux vulnerability? It
is a sendmail vulnerability much like an MS Exchange
vulnerability is not a Windows vulnerability.
Although, I admit, there is likely a Windows
vulnerability that the former would be taking
advantage of. But, the Windows world does not
translate to Linux or Unix.