TruSecure ALERT- TSA 03-002

TSA 03-002 - Sendmail Buffer Overflow

Initial Assessment: Important

Date: February 14, 2003 

Time: 2000 UTC

Current Assessment: RED HOT

Date: March 3, 2003

Time: 1700 UTC

On February 14th a TruSecure Radar posting indicated that we were aware of a potential vulnerability in Sendmail. Today, a coordinated announcement was made regarding a Sendmail header buffer overflow vulnerability. It is expected that code exploiting this vulnerability is already in circulation and attacks will be likely in the near future.

Most installations of Unix include Sendmail by default and are therefore probably vulnerable.

This may impact an organization's infrastructure because many firewalls and content filtering products contain Sendmail.

It is recommended that customers who are using a firewall that proxies mail, using Sendmail, implement packet filtering rules to redirect mail through patched or non-Sendmail systems while propagating fixes from their vendors.

RISK INDICIES:

Current Assessment: RED HOT

Threat: High - The vulnerability allows administrative access on an exploited host. The exploit takes advantage of a fixed-sized buffer used to process certain mail header fields, (To:, From:, CC:, Resent From: and related comment fields.)

Vulnerability Prevalence: High - Sendmail is installed by default on most Unix systems and this exploit may impact critical infrastructure devices as well as numerous devices without mail functionality, but with Sendmail installed.

TruSecure is aware that known malicious coders currently have exploit code to work from. We expect simple exploits in the near term, and more complex exploits including mail-based worms shortly thereafter.

Cost: High - This exploit may provide administrative access on vulnerable systems, including infrastructure devices.

MITIGATIONS:

1. Re-routing mail from Sendmail devices to already patched servers or non-Sendmail systems while propagating patches.

2. Substitute other Message Transfer Agents for Sendmail in your organization (Postfix, Qmail, Exim, Exchange...)

3. Patch vulnerable systems as quickly as possible. The following vendors have announced patch availability: Mandrake, SuSE, IBM, FreeBSD, OpenBSD, SGI, Red Hat.

NOTES:

1. People using TruSecure Shadow Mail should be safe from this attack downstream.

2. There are reports that Sendmail servers downstream from Patched Sendmail systems may be protected from potential attacks.

COMMUNICATION:

Please contact your TruSecure analyst if you have any questions or if you see actual attempts to exploit this vulnerability.

TruSecure Corporation provides information security assurance services including TruSecure(tm) which significantly reduces the likelihood of participating companies having information security breaches in six areas of risk: Electronic (hacking and related) risk, Malicious Code risk (virus, Trojan worm and related), Privacy risk, Downtime risk, Physical risk and Human Factors risk. See www.trusecure.com for further information on these services.

DISCLAIMER:

Copyright 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS." The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.

Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.