_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
ADVISORY NOTICE
UNIX sendmail Vulnerabilities
November 4, 1993 2300 PST Number E-03
__________________________________________________________________________
PROBLEM: Vulnerabilities have been discovered in the UNIX sendmail
utility.
PLATFORM: All implementations of UNIX sendmail.
DAMAGE: Local and remote users may execute commands and/or gain access
to system files.
SOLUTION: Apply workarounds or install new version of sendmail on ALL
systems running sendmail.
__________________________________________________________________________
Critical Information about UNIX sendmail Vulnerabilities
This advisory supersedes the sendmail information contained in CIAC
Advisory E-01.
CIAC has learned of a set of serious vulnerabilities affecting the UNIX
utility sendmail. These vulnerabilities affect a significant number of
sendmail implementations, permitting unauthorized access to system
commands and files by both local and remote users. In the absence of
specific vendor information, CIAC recommends that all implementations of
sendmail be considered vulnerable to attack.
CIAC is working with the CERT Coordination Center and the vendor community
to address this issue. At this time, there are no known patches available
for any vendor implementation that fully address all known sendmail
vulnerabilities. CIAC will publish information regarding vendor patches as
they become available.
Details of these vulnerabilities have been openly discussed in several
electronic forums, including the Firewalls mailing list and the USENET
newsgroup comp.security.unix. In addition, at least one automated tool
designed to exploit these vulnerabilities has been widely
distributed. Until vendor patches become available, CIAC strongly
recommends that sites apply one of the three possible solutions described
below to all systems running sendmail, including those systems behind
firewalls and mail hubs.
Restrict shell This workaround involves modifying the sendmail
commands configuration file to restrict the sendmail program
mailer facility using the sendmail restricted shell,
smrsh, by Eric Allman (the original author of
sendmail).
The sendmail restricted shell screens all attempts to
execute programs from sendmail, allowing only those
specifically authorized by the system administrator.
Attempts to invoke programs not in the allowed set
will fail and log the attempt.
Programs in the allowed set should be selected
carefully. Mail utilities found in /etc/aliases and
~/.forward files should be considered for inclusion
to prevent mail delivery failures (e.g. vacation,
procmail, and slocal). Note that it is important that
sites not include interpreters (e.g. /bin/sh,
/bin/csh, /bin/perl, /bin/uudecode, and /bin/sed) in
the set of allowed programs, as they may allow system
compromise.
The sendmail restricted shell may be obtained via
anonymous FTP from ftp.uu.net in the directory
/pub/security/smrsh. Consult the program documentation
for installation instructions.
Checksum Information
Filename BSD sum System V sum
-------- ------- ------------
README 30114 5 56478 10
smrsh.8 25757 2 42281 4
smrsh.c 46786 5 65517 9
Disable shell This approach also involves modifying the sendmail
commands configuration. However, this approach completely
disables the sendmail program mailer facility.
Attempts to invoke programs through sendmail will
fail. While this is a drastic solution, it may be
quickly implemented to protect a site while a more
long term approach is installed.
To implement this approach, edit the sendmail.cf
file, replacing the program mailer specification:
Mprog, P=/bin/sh, F=slFDM, S=10, R=20, A=sh -c $u
with:
Mprog, P=/bin/false, F=, S=10, R=20, A=
The configuration file should then be frozen, if
necessary, and the sendmail process restarted. See
the end of this advisory for more details.
Install The most recent version of Eric Allman's public
sendmail 8.6.4 domain sendmail has been updated to eliminate all
known vulnerabilities. Sites may choose to replace
their current implementation of sendmail with version
8.6.4 or later to secure their systems.
Note that depending on the currently installed sendmail
software, switching to sendmail 8.6.4 may potentially
require significant effort for the system administrator
to become familiar with the new program. Considerable
modification of the sendmail configuration may also be
required.
The latest version of sendmail may be obtained via
anonymous FTP from ftp.cs.berkeley.edu in the directory
/ucb/sendmail.
Checksum Information
Filename BSD sum System V sum
------------------------- --------- ------------
sendmail.8.6.4.base.tar.Z 07718 428 64609 856
sendmail.8.6.4.cf.tar.Z 28004 179 42112 357
sendmail.8.6.4.misc.tar.Z 57299 102 8101 203
sendmail.8.6.4.xdoc.tar.Z 33954 251 50037 502
CIAC strongly recommends that sites monitor their systems for signs of
sendmail attacks. System administrators should regularly examine the
following:
- All bounced mail, looking for unusual messages.
- Mail log files (e.g. /var/log/syslog), looking for unusual occurrences
of "|" characters.
To provide this information, sendmail must be configured to bounce mail to
the local postmaster and generate adequate logs. Receipt of bounced mail
is enabled by placing the following line in sendmail.cf:
OPpostmaster
A logging level of 9 or higher should also be specified in the
configuration file with a line similar to the following:
OL9
Whenever any changes are made to the sendmail configuration file, it is
necessary to kill all existing sendmail processes, refreeze the
configuration file (on some systems), and restart the sendmail daemon.
For example, under SunOS 4.1.2:
# /usr/bin/ps -aux | /usr/bin/grep sendmail
root 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/lib/sendmail -bd -q
# /bin/kill -9 130 (Kill the current sendmail process)
# /usr/lib/sendmail -bz (Refreeze the sendmail configuration file)
# /usr/lib/sendmail -bd -q30m (Restart the sendmail daemon)
Note that some sites do not use frozen configuration files. If the file
sendmail.fc does not exist in the same directory as sendmail.cf, frozen
configurations are not being used.
__________________________________________________________________________
CIAC wishes to thank the CERT Coordination Center and members of the FIRST
community for their contributions to this advisory. In addition, CIAC
would like to acknowledge the technical contributions of Eric Allman, Matt
Blaze, Andy Sherman, Gene Spafford, and Tim Seaver.
__________________________________________________________________________
For additional information or assistance, please contact CIAC at
(510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to
(510) 423-8002.
Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
