Companies mobilize to patch Sendmail [Critical Vulnerability]

ZDNet News ^ | March 3, 2003, 12:28 PM PT | Robert Lemos

[Bush2000]

Companies mobilize to patch Sendmail

By Robert Lemos
CNET News.com
March 3, 2003, 12:28 PM PT

A critical vulnerability in Sendmail, the Internet's most popular mail-server application, has security experts and software companies moving quickly on Monday to convince customers to apply a patch. The flaw allows an attacker to send a specially formatted e-mail that could take control of a mail server running Sendmail and execute a malicious program. At present, no attack tool that could exploit the vulnerability is known to exist, said Greg Olson, chairman and co-founder of Sendmail, the company that has created a commercial version of the software.

"You have to understand that this is a very arcane security issue," he said. "It has been present in Sendmail code for 15 years and that code has been through multiple inspections."

The flaw--ironically in a Sendmail security function--occurs when the mail program parses an overlong header. The vulnerability was first found in December by security software firm Internet Security Systems. The company notified Sendmail and the National Infrastructure Protection Center, a joint computer crime and security task force, on Jan. 13.

"This vulnerability is especially dangerous because the exploit can be delivered within an e-mail message and the attacker doesn't need any specific knowledge of the target to launch a successful attack," stated an ISS advisory released Monday.

Because the vulnerability is contained in an e-mail message, it will bypass firewalls and many intrusion detection systems, said Dan Ingsvaldson, team leader for ISS's vulnerability research group. Moreover, mail servers--also called mail transport agents (MTAs)--that aren't vulnerable will still forward the flaw-exploiting e-mail message onto its destination.

"The only dependency is that the domain needs to accept e-mail," Ingevaldson said.

The flaw is unrelated to a November break-in at the Sendmail Consortium's Web site.

Several companies, including Red Hat, IBM, SGI, Sun and Hewlett-Packard, released patches Monday. The Sendmail Consortium, the group responsible for development of the open-source Sendmail code, released Sendmail 8.12.8, an updated program that fixes the flaw.

"The key here is to get the word out and get it fixed before hackers get an exploit," said Sendmail's Olson. "You need to contact a lot of people and make sure they understand this is important and apply the patch."

[Bush2000]

Obviously, the "millions of eyes makes better code" theory is in need of a patch...

[Odyssey-x]

Sendmail is a big mess. The configuration is horrible and the speed isn't that great. It's just "The Standard". They haven't even done a major re-write like they did with Bind. I switched all my mail servers over to Postfix which is far easier to understand and has very good performance.

[Tunehead54]

Hopefully some hexhead will show up and 'splain why Micro$oft and every other software company hasn't come up with a subroutine to parse incoming headers. 99% of the exploits seem to be in this area. Can't they come up with a bullet-proof SR? And can't they check ALL header Srs to ensure they're protected? < /Rant>

---

[isthisnickcool]

Outage hits Microsoft's bCentral

A glitch knocked Microsoft's bCentral services offline Friday, leaving thousands of small-business Web sites inaccessible for much of the day.... Story here!

Apple/Microsoft case may provide ammo for Linux maker

Lindows.com Inc. has raised the ire and the litigation of Microsoft Corp. with its Windows-like name. While the companies continue to wrangle over trade dress issues, Lindows.com has secured a court order to force Microsoft to produce more than 300 boxes of evidence....Story Here!

Real-time waits for no one, not even Microsoft
If ever there was an example of making it up as you go along it's Microsoft's vision. No, excuse me, strategy. No, then again it's more of a direction on real-time collaboration (RTC)....Story here!

[Question_Assumptions]

Obviously, the "millions of eyes makes better code" theory is in need of a patch...

It was found after 15 years and is being fixed without ever being exploited. Where is the problem?

[TechJunkYard]

The vulnerability was first found in December by security software firm Internet Security Systems. The company notified Sendmail and the National Infrastructure Protection Center

Obviously, the "millions of eyes makes better code" theory is in need of a patch...

What are you whining about? The process worked. The flaw was found by someone other than the developers, it's been fixed and the fix is available.

You NBMers simply don't "get it" do ya?

[tortoise]

Not many people use Sendmail any more. There are plenty of vastly more bulletproof and easier to use alternatives. MTAs like qmail are quite famous for their security and lack of bugs. Sendmail has been a turd forever, and was already on its way out, replaced by better software.

[dwollmann]

Who found the hole? One of those millions (probably more like tens of thousands) of pairs of eyes. Who can verify the quality of the patched code? Anyone who can read. If you don't think anyone's reading the patch(es) then you haven't spent much time reading Usenet or various mailing lists (especially the OpenBSD lists). Lame patches draw flames.

Nevertheless, I prefer postfix or qmail, both are easier to learn and maintain, at least for me, and have better security track records.

[Tunehead54]

It was found after 15 years and is being fixed without ever being exploited. Where is the problem?

---

Buffer overun exploits are reported daily - if M$ and others were serious they'd FIX the problem - with millions of PCs to patch the $$$ wasted is immeasurable.

Also be aware that M$ is content to disable legions of functions - without notice - to effect a patch - including denying you the "right" to receive an executable file in your email - that's not a patch its "crippleware"

Here's an MS buffer alert - you wade through it.

-----BEGIN PGP SIGNED MESSAGE-----

- -------------------------------------------------------------------

Title: Unchecked Buffer in Windows Redirector Could
Allow Privilege Elevation (810577)
Date: 05 February 2003
Software: Microsoft Windows XP
Impact: Privilege elevation
Max Risk: Important
Bulletin: MS03-005

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/ms03-005.asp
http://www.microsoft.com/security/security_bulletins/ms03-005.asp
-

-------------------------------------------------------------------

Issue:
======

The Windows Redirector is used by a Windows client to access files, whether local or remote, regardless of the underlying network protocols in use. For example, the "Add a Network Place" Wizard or the NET USE command can be used to map a network share as a local drive, and the Windows Redirector will handle the routing of information to and from the network share.

A security vulnerability exists in the implementation of the Windows Redirector on Windows XP because an unchecked buffer is used to receive parameter information. By providing malformed data to the Windows Redirector, an attacker could cause the system to fail, or if the data was crafted in a particular way, could run code of the attacker's choice.

Mitigating Factors:
====================

- An attacker would require the ability to log onto the system interactively in order to run programs that use the Windows Redirector. This vulnerability cannot be exploited remotely. - Windows XP systems that are not shared between users would not be at risk.

Risk Rating:
============
- Windows XP: Important

Patch Availability:
===================

- A patch is available to fix this vulnerability. Please read the Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-005.asp

http://www.microsoft.com/security/security_bulletins/ms03-005.asp

for information on obtaining this patch.

Acknowledgment: =============== - NSFocus (http://www.nsfocus.com)

Home User Security Notification Service
=======================================

Microsoft is now offering the Microsoft Security Update, a security bulletin notification service for home users. To learn more about this service, please go to:

http://www.microsoft.com/security/security_bulletins/decision.asp

-------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPkFkK40ZSRQxA/UrAQHveggArplVZ+xJOiBNEztCmEu3mQNk2Yt8bX6A 4Ua76YSaBOQgl2ukzlX8vFhcBBLzcEbAay0AYkLlxl05UrPXNdOSdS8j/qYp+8zP GTfJpZ95VoWZi6mlL/AEKWYRaWpLLXiFnn/PT+ORobWOuHeLQ4A0NHfQq3EAPVIV oIjJrluSpmSIKSvhcGtYEmGhHBggS9fVYb1TtNPs3RCAMuiSivxXSnVmALUsobkC RMsjQllfUy5VxlPLYtMQ4DkVYu+OHnLQ/k6+OyG8qpR9/6I4pO+rtqyfVsu1YBXn 5dVDdhZCl1uGIw0Y2JXFqntj+ExZp7vd9amQM9sYMMDEE17quvQKwQ== =aCRC -----END PGP SIGNATURE-----

*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp

If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Reply to this message with the word UNSUBSCRIBE in the Subject line.

For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

---

I doubt you've read all this - some is standardized but even after visiting the patch site you will be uncertain what the patch will actually do - disable all script files, executables? Who know they don't tell you and you don't know til a client complains! < /rant >

[Nick Danger]

Obviously, the "millions of eyes makes better code" theory is in need of a patch...

See, this is why people think you're a twit. The implication of your comment is that human beings are not error-free machines. Is that supposed to be news? Do you know where to go to get this "patch" that will make humans free from error? Do you know any supplier -- of anything, anywhere -- that has perfect humans working for them?

I didn't think so. You just saw an opportunity to throw a gratuitious spear, so you threw it. Do they pay you to do this?

[Doohickey]

I read the whole thing. Was it difficult for you to understand?

HINT: The original post was about Sendmail, not Windows XP.

[Bush2000]

No, Nick, wrong. The implication is that the "million eyes make for better code" theory is bunk. The quality of open source and closed source code is comparable.

[Bush2000]

What do you expect from a guy that spells "MS" as "M$"? It's so 90's...

[Doohickey]

Damn those bastards anyway for daring to sell software for a profit.

[dwollmann]

I'm not familiar with "million eyes make for better code," but I have read "With enough eyeballs, all bugs are shallow." The "eyeballs" credo speaks to the effect that open source code has on the ongoing process of improving the quality of programs. The implication is that anyone can read the source, test and verify the code, and report or submit fixes for errors they find.

ISS found a hole by examing the source code and reported it to the sendmail developers. How does this invalidate the "eyeballs" assertion?

[Bush2000]

The implication is that anyone can read the source, test and verify the code, and report or submit fixes for errors they find. ISS found a hole by examing the source code and reported it to the sendmail developers. How does this invalidate the "eyeballs" assertion?

This bug has existed for 15 years. The same code has undergone multiple code reviews. The fact that more eyeballs were looking at it had little bearing on the quality (or lack of quality) of the code.

[js1138]

It was found after 15 years and is being fixed without ever being exploited. Where is the problem?

Proof that no one is seriously trying to hack it.

[Bush2000]

Proof that no one is seriously trying to hack it

Why would the *nix crowd try to hack it? They're too busy creating Nimda and Slammer ...

[dark_lord]

There are two other things to consider here.

(1) The mail configuration file (sendmail.mc) permits the mail administrator to direct the sendmail server not to process headers greater than a certain length. The specific command is: define(`confMAX_HEADERS_LENGTH',somenumericvaluehere)dnl. Which most sendmail administrators do set. I can't tell from reading the CERT advisory whether this would foil the buffer overflow, but if the server only reads up to somenumericvalue then it may well be immune to this weakness.

(2) The software security companies today are out of business unless there are a lot of virus, worms, and other hacks out there. And unless there are identified "weaknesses" in software - like this one. Boil it down and what do you get? A potential weakness that has apparently never been exploited, in a free software mail system. Sendmail is the worlds biggest kludge anyway. Security by obscurity could be illustrated by pointing to this package.