[GTER] Fwd: CERT Advisory CA-2003-25 Buffer Overflow in Sendmail

Luiz Eduardo Roncato Cordeiro cordeiro at nic.br
Thu Sep 18 11:46:14 -03 2003

----------  Forwarded Message from CERT Coordination Center <CERT Coordination Center <cert at cert.org>>  ----------

Subject: CERT Advisory CA-2003-25 Buffer Overflow in Sendmail
Date: Thursday 18 September 2003 11:36
From: CERT Coordination Center <cert at cert.org>


CERT Advisory CA-2003-25 Buffer Overflow in Sendmail

   Original issue date: September 18, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * Systems  running  open-source  sendmail versions prior to 8.12.10,
       including UNIX and Linux systems

     * Commercial   releases   of  sendmail  including  Sendmail  Switch,
       Sendmail Advanced Message Server (SAMS), and Sendmail for NT


   A  vulnerability  in sendmail could allow a remote attacker to execute
   arbitrary  code  with the privileges of the sendmail daemon, typically

I. Description

   Sendmail is a widely deployed mail transfer agent (MTA). Many UNIX and
   Linux  systems  provide  a sendmail implementation that is enabled and
   running  by  default. Sendmail contains a vulnerability in its address
   parsing  code.  An  error  in  the  prescan()  function could allow an
   attacker  to  write  past  the  end  of  a  buffer,  corrupting memory
   structures.  Depending  on platform and operating system architecture,
   the  attacker  may  be able to execute arbitrary code with a specially
   crafted email message.

   This vulnerability is different than the one described in CA-2003-12.

   The   email   attack   vector   is   message-oriented  as  opposed  to
   connection-oriented. This means that the vulnerability is triggered by
   the  contents  of  a  specially  crafted  email message rather than by
   lower-level  network  traffic.  This  is important because an MTA that
   does  not  contain  the  vulnerability  may pass the malicious message
   along  to  other  MTAs  that may be protected at the network level. In
   other  words, vulnerable sendmail servers on the interior of a network
   are  still  at risk, even if the site's border MTA uses software other
   than sendmail. Also, messages capable of exploiting this vulnerability
   may pass undetected through packet filters or firewalls.

   Further  information is available in VU#784980. Common Vulnerabilities
   and Exposures (CVE) refers to this issue as CAN-2003-0694.

II. Impact

   Depending  on  platform  and  operating  system architecture, a remote
   attacker  could  execute  arbitrary  code  with  the privileges of the
   sendmail   daemon.  Unless  the  RunAsUser  option  is  set,  Sendmail
   typically runs as root.

III. Solution

Upgrade or apply a patch

   This  vulnerability is resolved in Sendmail 8.12.10. Sendmail has also
   released a patch that can be applied to Sendmail 8.9.x through 8.12.9.
   Information  about specific vendors is available in Appendix A. and in
   the Systems Affected section of VU#784980.

   Sendmail  8.12.10  is  designed to correct malformed messages that are
   transferred  by  the server. This should help protect other vulnerable
   sendmail servers.

Enable the RunAsUser option

   While  there  is  no  known  complete workaround, consider setting the
   RunAsUser  option  to  reduce  the impact of this vulnerability. It is
   typically  considered  to  be  a  good  security practice to limit the
   privileges of applications and services whenever possible.

Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information, this section is updated, and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have  not  received their direct statement. Further vendor information
   is available in the Systems Affected section of VU#784980.


     The  sendmail  and  sendmail-wide  packages  are vulnerable to this
     issue.  Updated  packages  are being prepared and will be available

F5 Networks

     BIG-IP and 3-DNS products are not vulnerable.


     The  AIX  Security  Team  is  aware of the issues discussed in CERT
     Vulnerability Note VU#784980.

     The following APARs will be released to address this issue:

      APAR number for AIX 4.3.3: IY48659 (available approx. 10/03/03)
      APAR number for AIX 5.1.0: IY48658 (available approx. 10/15/03)
      APAR number for AIX 5.2.0: IY48657 (available approx. 10/29/03)

     An  e-fix  will  be  available shortly. The e-fix will be available


     This  vendor  statement  will  be  updated  when  the e-fix becomes


     This  is  a  sendmail-specific issue that does not affect any Lotus

Network Appliance

     NetApp products are not vulnerable to this problem.


     NetBSD-current  ships  with sendmail 8.12.9 since June 1, 2003. The
     patch  was  applied  on  September  17, 2003. In the near future we
     would upgrade to sendmail 8.12.10.

     Our  official  releases,  such  as  NetBSD 1.6.1, are also affected
     (they ship with older version of sendmail). They will be patched as
     soon  as  possible. We would issue NetBSD Security Advisory on this

Openwall GNU/*/Linux

     Openwall  GNU/*/Linux  is  not  vulnerable.  We  ship  Postfix, not

Red Hat

     Red  Hat  Linux  and  Red Hat Enterprise Linux ship with a Sendmail
     package  vulnerable  to these issues. Updated Sendmail packages are
     available  along  with our advisory at the URLs below. Users of the
     Red Hat Network can update their systems using the 'up2date' tool.

     Red Hat Linux:


     Red Hat Enterprise Linux:


The Sendmail Consortium

     The  Sendmail  Consortium  recommends that sites upgrade to 8.12.10
     whenever  possible.  Alternatively,  patches are available for 8.9,
     8.10, 8.11, and 8.12 on http://www.sendmail.org/.

Sendmail Inc.

     All   commercial   releases  including  Sendmail  Switch,  Sendmail
     Advanced  Message  Server (which includes the Sendmail Switch MTA),
     Sendmail for NT, and Sendmail Pro are affected by this issue. Patch
     information is available at http://www.sendmail.com/security/.


     Sun  acknowledges  that  our  recent release of sendmail 8.12.10 is
     affected by this issue on Solaris releases S7, S8 and S9.

     A Sun Alert for this issue will be isuued very soon which will then
     be available from:


     There  are no patches available at this time. The Sun Alert will be
     updated  with the patch information as it becomes available. Please
     refer to the Sun Alert when available, for more information.


     SuSE  products shipping sendmail are affected. Update packages that
     fix  the  vulnerability  are  being  prepared and will be published

Appendix B. References

     * CERT/CC Vulnerability Note VU#784980 -
     * Michal Zalewski's post to BugTraq -
     * Sendmail 8.12.10 - <http://www.sendmail.org/8.12.10.html>
     * Sendmail patch for 8.12.9 -
     * Sendmail 8.12.10 announcement -
     * Sendmail Secure Install -

   This  vulnerability was discovered by Michal Zalewski. Thanks to Claus
   Assmann  and  Eric Allman of Sendmail for their help in preparing this

   Feedback can be directed to the author, Art Manion.

   This document is available from:

CERT/CC Contact Information

   Email: cert at cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from


   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site


   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo at cert.org. Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

Revision History

   September 18, 2003: Initial release

Version: PGP 6.5.8



More information about the gter mailing list