_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
Sendmail -d and Sendmail -oE Vulnerabilities
July 14, 1994 1600 PST Number E-31
______________________________________________________________________________
PROBLEM: Vulnerabilities in the UNIX sendmail utility.
PLATFORM: UNIX; many vendor implementations of sendmail.
DAMAGE: Root access may be obtained.
SOLUTION: Retrieve and install your vendor's new implementation of sendmail.
______________________________________________________________________________
______________________________________________________________________________
ASSESSMENT OF VULNERABILITY: A script to exploit the -d vulnerability is
currently being utilized to compromise many systems. The -oE vulnerability is
fairly simple to exploit. Both can only be exploited by local users, and
cannot be utilized remotely to compromise a machine. Both are well known in
the intruder community.
______________________________________________________________________________
Critical Information about Sendmail Vulnerabilities
CIAC has received updated information regarding two vulnerabilities in the
sendmail program when using the -d and -oE options. These bugs cannot be
exploited remotely.
The first vulnerability involves the sendmail debug option "-d" command line
flag. For certain input values an error occurs that allows a local user to
become root. The second vulnerability involves the sendmail error message
header "-oE" option. This vulnerability allows any local interactive user to
read any file on the system.
Both vulnerabilities are present in many vendors' implementations of sendmail,
and the CERT Coordination Center is maintaining a list of which versions of
sendmail do and do not have this problem. The current version of the list is
attached to this bulletin. Future versions of this file can be obtained from
the CERT Coordination Center. Use anonymous FTP to connect to info.cert.org,
and download the file,
/pub/cert_advisories/CA-94:12.README.
A summary of sendmail vendors and their current patch status is supplied
below:
Not vulnerable: Amdahl, Convex OS11.0, Eric Allman sendmail 8.6.8 and 8.6.9.
Patches available: Apple, Berkeley Software Design, Convex 10.x, Data General,
Digital Equipment, Hewlett Packard, IBM, Open Software Foundation, Sun.
Patch in progress: Santa Cruz Operation
______________________________________________________________________________
CIAC thanks the CERT Coordination Center for the information provided in this
bulletin.
______________________________________________________________________________
For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
Previous CIAC Bulletins and other information are available via anonymous
FTP from ciac.llnl.gov (IP address 128.115.19.53).
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information,
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
CIAC's mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and
"PhoneNumber" when sending
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
______________________________________________________________________________
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.
______________________________________________________________________________
�
CA-94:12.README
See CA-94:12.README for updated information; this file supersedes
CA-93:16a.README.
Below is information we have received from vendors who have patches available
or upcoming for the vulnerabilities described in this advisory, as well as
vendors who have confirmed that their products are not vulnerable. If your
vendor's name is not in one of these lists, contact the vendor directly for
information on whether their version of sendmail is vulnerable and, if so, the
status of patches to address the vulnerabilities.
---------------------------------------
Eric Allman
Sendmail versions 8.6.8 and 8.6.9 are not vulnerable. The problem with -d was
fixed in sendmail 8.6.7, and -oE was fixed in sendmail 8.6.8. Even if you are
running 8.6.8, you may want to upgrade to 8.6.9 for the additional features.
Version 8.6.9 is available by anonymous FTP from ftp.cs.berkeley.edu in the
directory ucb/sendmail.
MD5 (sendmail.8.6.9.base.tar.Z) = 9bffb19116e7fdbb6ec56ccf9344895b
MD5 (sendmail.8.6.9.cf.tar.Z) = 37ecb776ec61f596d01fbb46bae6e72f
MD5 (sendmail.8.6.9.misc.tar.Z) = e083dbd609bdaf4b46c52f2546b3d1e5
MD5 (sendmail.8.6.9.xdoc.tar.Z) = 0df46586fbe767bf7060068331de7186
---------------------------------------
Amdahl
All versions of UTS 2.1 use smail rather than sendmail and are not vulnerable
to these problems.
---------------------------------------
Apple Computer, Inc.
A patch to version 3.1 of A/UX for these vulnerabilities is available by
anonymous FTP from ftp.support.apple.com or aux.support.apple.com; in each
case, a compressed, replacement version (8.6.4.1) of sendmail is in
pub/aux.patches.
Filename sendmail.Z
BSD checksum 02992 182
SysV checksum 10129 364
MD5 checksum df4ca82f624ee8f4404c5e979e7e3d24
Uncompress this file using compress(1) and replace the previous version
(8.6.4) in /usr/lib; be sure to kill the running sendmail and restart.
Earlier versions of A/UX are not supported by this patch. Users of previous
versions are encouraged by Apple to update their system to A/UX 3.1 or compile
and install the version of sendmail available from ftp.cs.berkeley.edu.
Customers should contact their reseller for any additional information.
---------------------------------------
Berkeley Software Design (BSDI)
Patches to sendmail for these problems in BSD/386 V1.1 are available from BSDI
customer support:
BSDI Customer Support
Berkeley Software Design, Inc.
7759 Delmonico Drive
Colorado Springs, CO 80919
Toll Free: +1 800 ITS BSD8 (+1 800 486 2738)
Phone: +1 719 260 8114
Fax: +1 719 598 4238
Email: support@bsdi.com
---------------------------------------
Convex
ConvexOS 11.0 (the most recent production OS) does not contain the
vulnerabilities.
Convex customers running ConvexOS 10.x should install the CONVEX TAC PATCH
10.3.129, which is the full ConvexOS 11.0 mail system back ported to ConvexOS
10.x.
The 10.3.129 README file is reproduced below:
The following patch information is provided by a member of the
CONVEX TAC. There is no express or implied warranty. The maintenance
of this patch is the responsibility of the installer. The existence of
this patch does not guarantee that the patch or its functionality
will be available in the next release of the product.
PATCH PRODUCT NAME: ConvexOS Mail System
PATCH FOR VERSION NUMBER: 10.3
PATCH MODULE NAME: /usr/lib/sendmail
NEW VERSION NUMBER OF PRODUCT: 10.3.129
RELATED BUG REPORTS: X-33414, X-33531
PATCH INSTALLATION:
Pre-installation precautions:
if from tape:
%tpmount
%installsw -i
NOTE: If installing from tape, you must use a no-rewind tape
device, such as /dev/rmt20 or /dev/rdat0n, /dev/eb0nr, or
/dev/rtc0n.
if from script:
% ./Script.sh
The Convex Technical Assistance Center is available for additional
information at 800-952-0379.
---------------------------------------
Data General Corporation
DG/UX systems are not at risk from the -oE problem.
Patches will be made available for all supported releases of DG/UX for the -d
problem and it will be fixed in future releases of DG/UX starting with DG/UX
5.4 Release 3.10. Affected sites should call their Customer Support Center
for information regarding this patch.
---------------------------------------
Digital Equipment Corporation
[The following information was excerpted from DEC SECURITY ADVISORY #0505.
Please contact DEC for a complete copy of that advisory.]
Products Affected:
ULTRIX Versions 4.3, 4.3A, V4.4
DECnet-ULTRIX Version 4.2
DEC OSF/1 Versions 1.2, 1.3, 1.3A, 2.0
SOLUTION: ULTRIX: Upgrade/Install ULTRIX to an minimum of V4.4 and install the
Security Enhanced Kit
DEC OSF/1: Upgrade/Install to a minimum of V1.2 and install
the Security Enhanced Kit
Please refer to the applicable Release Note information prior to
upgrading your installation.
These kits are available from Digital Equipment Corporation by contacting
your normal Digital support channel or by request via DSNlink for electronic
transfer.
KIT PART NUMBERS and DESCRIPTIONS
CSCPAT_4060 V1.0 ULTRIX V4.3 thru V4.4 (Includes DECnet-ULTRIX V4.2)
CSCPAT_4061 V1.0 DEC OSF/1 V1.2 thru V2.0
_______________________________________________________________
These kits will not install on versions previous to ULTRIX V4.3
or DEC OSF/1 V1.2.
_______________________________________________________________
Digital urges you to periodically review your system management and
security procedures. Digital will continue to review and enhance the
security features of its products and work with customers to maintain
and improve the security and integrity of their systems.
NOTE: For non-contract/non-warranty customers contact your local Digital
support channels for information regarding these kits.
---------------------------------------
Hewlett-Packard
HP/UX does not support the -oE option.
To fix the -d problem, obtain patch PHNE_4533 from Hewlett-Packard. This patch
may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP
SupportLine. To obtain HP security patches, you must first register with the
HP SupportLine. The registration instructions are available by anonymous FTP
from info.cert.org in the file "pub/vendors/hp/supportline_and_patch_retrieval".
---------------------------------------
IBM
A patch for the -d vulnerability can be ordered from IBM as APAR IX44020
(PTF U431041). AIX is not vulnerable to the -oE problem. To order APARs
from IBM in the U.S., call 1-800-237-5511 and ask that it be shipped to
you as soon as it is available. To obtain APARs outside of the U.S.,
contact your local IBM representative.
---------------------------------------
Open Software Foundation (OSF)
For OSF/1 R1.3:
CR11057 describes how to fix the -d option problem in the sources.
OSF/1 is not vulnerable to the -oE problem.
---------------------------------------
The Santa Cruz Operation, Inc. (SCO)
SCO systems are not affected by the -oE problem and a patch for the -d problem
on the following platforms will soon be available:
SCO TCP/IP Release 1.2.0 for SCO XENIX
SCO TCP/IP Release 1.2.1 for SCO UNIX
SCO Open Desktop Release 3.0
SCO Open Desktop Lite Release 3.0
SCO Open Server Network System, Release 3.0
SCO Open Server Enterprise System, Release 3.0
For more information contact SCO at:
Electronic mail: support@sco.COM
The Americas, Pacific Rim, Asia, and Latin America:
6am-5pm Pacific Daylight Time (PDT)
---------------------------------------------------
1-408-425-4726 (voice)
1-408-427-5443 (fax)
Europe, Middle East, Africa: 9am-5:30pm British Daylight Time (BST)
+44 (0)923 816344 (voice)
+44 (0)923 817781 (fax)
---------------------------------------
Sun Microsystems, Inc.
A. Patch list
Sun has produced patches against these vulnerabilities for the versions
of SunOS shown below.
4.1.1 100377-15
4.1.2 100377-15
4.1.3 100377-15
4.1.3_U1 101665-02
5.1_x86 101352-03 (Solaris x86)
5.1 100834-11 (Solaris 2.1)
5.2 100999-59 (Solaris 2.2)
5.3 101318-41 (Solaris 2.3)
B. Patch notes
1. The last security-related patch for 4.1.x sendmail was
distributed as 100377-08 (announced 23 December 1993). Revisions
-09 through -14 were not related to security.
2. The 4.1.1 patch includes a version built for the sun3 architecture.
3. The 4.1.3 version of the patch is also applicable to 4.1.3C systems.
4. The patch listed for 4.1.3_U1 (Solaris 1.1.1) applies to both
the A and B versions. This is currently true for all U1 patches.
5. One of the listed patches (100834-11, for SunOS 5.1) is actually a
jumbo kernel patch into which sendmail was bundled. The other two SunOS
5.x patches, and all of the 4.1.x patches, contain only sendmail fixes.
(Sun bundled all 5.x sendmails into jumbo kernel patches earlier this
year, but later unbundled the 5.3 and 5.2 patches in response to customer
complaints. The 5.1 sendmail will be unbundled as well later this summer.
6. Sun releases new patch versions frequently. For this reason, when
requesting patches you should ask for the specified "or later" version,
e.g., "version 11 or later of patch 100834".
Patches can be obtained from local Sun Answer Centers and Sunsolve.
U.S. users can contact Sun a 800-USA-4SUN. Sun can also be reached by
e-mail at security-alert@sun.com.
---------------------------------------
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
