More Headaches for Sendmail
A remotely exploitable vulnerability in the open source message transfer agent leaves the Sendmail organization scrambling over the weekend to prevent attacks on unpatched servers.
The Sendmail Consortium, which manages deployment of the world's most popular message transfer agent (MTA) to handle email, was left scrambling over the weekend to fix a remotely exploitable vulnerability that could allow an attacker to gain control of a unpatched sendmail server.
The vulnerability, discovered by Michal Zalewski, occurs because address parsing code in sendmail does not adequately check the length of email addresses. An email message with a specially crafted address could trigger a stack overflow. As a result, the vulnerability can be exploited to cause a denial-of-service condition and could allow a remote attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root, according to a CERT advisory issued over the weekend.
"Most organizations have a variety of mail transfer agents (MTAs) at various locations within their network, with at least one exposed to the Internet. Since sendmail is the most popular MTA, most medium-sized to large organizations are likely to have at least one vulnerable sendmail server. In addition, many UNIX and Linux workstations provide a sendmail implementation that is enabled and running by default," CERT warned in its advisory.
Just on March 3, Sendmail posted a different patch to plug a "critical security problem" in header parsing.
And although the latest patch is just as critical, the disorganized manner in which the security warning was released left a bad taste in the mouths of many network administrators.
According to a discussion on Slashdot, somebody apparently jumped the gun by issuing the warning. As a result, Sendmail was left scrambling to get word out over the weekend, leaving the chance that many systems were left undefended and exposed to a vulnerability that crackers could exploit if they wanted to.
"We apologize for releasing this information today (2003-03-29) but we were forced to do so by an e-mail on a public mailing list which contains information about the security flaw," Sendmail said in its posting. The patch can be found here.
Still, some admins had had enough.
"Sendmail: The IIS of Open Source," one poster said on Slashdot, referring to the problem-plagued Microsoft web serving software. "This is the straw that breaks the camel's back. I'm changing to another MTA."