ISS Discovers A Remote Hole In Sendmail

randal writes "A security vulnerability in the Sendmail Mail Transfer Agent (MTA) has been identified by ISS. This bug can give an attacker the ability to gain remote root access to the targeted system. There is no known exploit code of this vulnerability in the wild at this time, but everyone should upgrade immediately. This issue affects all versions since 5.79. Open Source sendmail users can get source for the newest version (8.12.8) as well as patches for 8.9, 8.11, and 8.12 from sendmail.org. Commercial Sendmail customers can find patches at sendmail.com/security. Most major OS vendors will be releasing patches immediately." Update: 03/03 19:23 GMT by T : Reader Patchlevel points out that RedHat and OpenBSD have already issued patches.Update: 03/03 20:45 GMT by T : Reader Claude Meyer links to an update from SuSE, too. Update: 03/03 22:52 GMT by T : djcatnip points out that Apple has released a software update to patch OpenSSL and Sendmail for Mac OS X 10.2.4, and the Slackware site says they have updated to 8.12.8 as well.

Since no one else will say it...

[Anonymous Coward]

Let's not forget that just because it's open source doesn't mean it's invulnerable.

Let's also not forget that it's not only Microsoft that has these problems. I expect everyone who normally bitches and moans at how awful Microsoft security it to bitch and moan just as much because of this sendmail hole.

Anything less is hypocrisy, but then again, this is Slashdot, where hypocrisy is elevated to an art form.

Open Source All

[Anonymous Coward]

Look at how fast open source software can patch security holes! Oh...wait, it's been almost 2 months since this has been discovered.

Re:Since no one else will say it...

[Wobin]

I haven't seen Microsoft having a patch ready within 24 hours of a vulnerability being announced.

Re:So what's new?

[zapfie]

Anyone that uses sendmail knows that it will never be bug-free + exploitless.

Hate to break it to you, but ANY program of medium to large size will never be bug free and exploitless. It's the nature of complicated projects.

Re:OpenBSD?

[Anonymous Coward]

Umm...How is it a remote root exploit if it's only listening on localhost?

Re:Since no one else will say it...

[NickDngr]

I haven't seen Microsoft having a patch ready within 24 hours of a vulnerability being announced.

Apparently you didn't read the article. "Initial vendor notification: 1/13/2003." The vendor was notified a month and a half ago.

Re:Since no one else will say it...

[MisterFancypants]

I haven't seen Microsoft having a patch ready within 24 hours of a vulnerability being announced.

Then you haven't been looking hard enough. Not that Microsoft always gets fixes out within 24 hours, but neither does OSS. In both camps some bugs are harder to fix and verify than others.

Monoculture

[Anonymous Coward]

Now this is the obligatory "monoculture" is bad post.

Although this post is made somewhat jokingly, it is an important issue. Hopefully this won't become too much of a clich\'e.(I'm sure LWN will do an article on it. :>)

Some alternatives can be found on the Google directory [google.com]:

• http://www.postfix.org/
• http://www.exim.org/
• ftp://ftp.uu.net/networking/mail/smail/
• many more

Re:So what's new?

[blakestah]

Hate to break it to you, but ANY program of medium to large size will never be bug free and exploitless.

Find a bug in qmail that allows an outsider to do so much as change file permissions of a file he should not be allowed to. There has not ever been one, and there is cold hard cash offered.

Secure code is not impossible. However, if you start with sendmail or BIND and try to achieve security, well, good luck.

The Sendmail Remote Exploit of the Week

[lavalyn]

Sendmail was always a good fun program to find remote exploits for, with its configuration file so incredibly cryptic and its architecture inherently unsafe. What other program treats local files like incoming mail? And has a .cf file that looks like raw /dev/random output?

Re:Wouldnt this...

[jackmama]

No. Sendmail doesn't accept external connections in a default OpenBSD install.

Re:Fed up with sendmail.

[WasterDave]

I use exim. I have used exim, qmail and sendmail and I like exim by far the most. It is:

* Shit easy to configure.
* When something does go to custard I can understand the logs.
* Stable, appears to be secure, yaddah yaddah yaddah.

Not convinced by the "plug in replacement" nature of it, I also don't know what your sendmail config does so can't comment.

It's worth a go. Debian's worth a go too.

Dave

Re:reconfig

[andrewm]

You chould never modify the .cf file but rather change the .mc file and generate a new .cf from it.

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.mc

You can nearly always move the .mc file between versions.

sigh

[Doktor Memory]

Of course, what I meant there was "sendmail to qmail migration checklist". Gee, it's a good thing that with all of the millions of dollars of venture funding that VA-Linux has burned through and thousands of man-months of development time that Malda etc have put into slashcode, they didn't do anything kooky or weird like say giving you the ability to edit your posts, like any circa-1987 Commodore 64 BBS program.

What happens when a server process runs as root

[jonadab]

When a server process runs as root, every vulnerability anyone finds
in it is a root vulnerability. For extra bonus insecurity points,
write it in a language that doesn't protect you from memory managment
errors, and then have a security philosophy that says, in effect,
"if the environment isn't exactly what we want it to be, any
insecurities aren't our fault".

I've been saying for months that this would happen. It will happen
again, too. It's high time to retire sendmail and adopt other
solutions.

Re:Cross Upgrade to QMail

[Doktor Memory]

So what is technically wrong with sendmail?

Did you fail to notice that this entire article is about yet another remote sendmail root exploit?

Other things that are wrong with sendmail:

- Horrible, horrible resource utilization issues. Fork a new copy of the whole goddamn multimegabyte /usr/lib/sendmail for each new delivery. Copy-on-write swap systems save you some here, but this is circa-1979 engineering at its worst.

- Configuration is a bad joke. The M4 macros are a bandaid slapped on top of a sucking chest wound. The web-based configurators in the commercial sendmails are a gold star slapped on top of the bandaid. Quick: name the four different "MASQUERADE" options supported by sendmail.mc, and explain how they differ and in what situations you would use which combinations of them. Can't do it without referring to the manual? Don't feel bad, neither can I, and I used to manage sendmail for a living [mail.com].

- Incredibly crappy delivery performance. The hashed queues in recent sendmails have somewhat alleviated this, but qmail, postfix and exim still trounce sendmail for remote delivery speed.

- No VERP support.

- Last I checked (circa 8.11), SSL/TLS/ASMTP was a painful joke, requiring an incredibly fragile collection of third-party libraries to even stand a chance of working, which it usually didn't. (Compare to Courier, which includes all of the above out of the box.)

- Sendmail's monolithic design makes _any_ extensions into a bleeding nightmare. Compare to qmail or postfix, where if you don't like one component (the smtp daemon, the delivery agent, etc etc) it's a snap to swap it with one of your own.

- Bugs, bugs, bugs, bugs, bugs, bugs, bugs.

And that's just off the top of my head. Google for "sendmail problems" and see for yourself.

Re:Since no one else will say it...

[AKnightCowboy]

Let's not forget that just because it's open source doesn't mean it's invulnerable.

I would think that it would be a given nobody is running Sendmail anymore. I guess not. How many times do you need to be kicked in the nuts before you realize that you should avoid something so buggy and complex as Sendmail? If you can't read a god damn config file and understand it without a 500 page O'Reilly book then something is horribly wrong. Switch to Postfix or qmail and sleep better at night. I'd trust my Postfix or a qmail setup anyday over Sendmail for crying out loud.

Wrong. Non-root sendmail is possible.

[dmeranda]

Perhaps you haven't actually looked at sendmail since 1983?

Sendmail certainly does not need to run as root for most of its operations anymore. Read the file "sendmail/SECURITY" in the source code distribution for all the details.

"One way to minimize the possibility of such problems [root exploits] is to install sendmail without set-user-ID root, which avoids local exploits. This configuration, which is the default starting with 8.12, ..."

There are of course a few small things that any mail transport agent will need root access for, primarily for opening port 25., local mail delivery, etc. But the basic quering and mail handling operations don't require root, and neither does sendmail require root for that. Plus sendmail has separated the mail transport function from the local mail delivery/submission function too. And furthermore you can write your own custom sendmail filters (milters [milter.org]) as separate processes from sendmail and can run as any user you like. And if you don't require local delivery, there's no reason you can't chroot jail it either.

It amazes me how often people spout off about their favorite non-sendmail program being ultimately secure and sendmail being ultimately vulnerable to everything. Nothing is that black and white. True sendmail may have a long history, but it has by no means stood still. And furthermore security vunerabilities are possible in every mail program no matter how much it is evangelized as being "secure".

If you don't need the power of sendmail (and most people don't) and it intimidates you then fine use what works for you. That's a legitimate functionaility decision. But just because there is one buffer overflow bug doesn't mean that the whole of sendmail is junk. It got fixed didn't it? There are many things that sendmail does much better than any other alternative out there, especially for very large and complex sites.

Re:It won't rule for much longer...

[Mandi Walls]

Good god man! As if your $60/year would compensate for the amount of work that would be required to maintain current patchlevels for 6.2.

There's a reason they've gone to the current configuration, and the future changes in their product line, of requiring more cash and providing longer lifetimes for "professional" releases - maintaining 1200 packages/release is a lot of work. And if you screw something up, or you're late with a package, people bitch.

Red Hat is a company. Before they released their EOL status, they looked at what their customers are running. Hell, they've got a million points of data in the RHN database to look at. If 6.2 made up a significant amount of customers, I would imagine they would have been more lenient.

But when the bulk of your customers are running the latest or one-off release, how can you spend time and money supporting elderly releases? We're not talking about just the kernel; we're talking about ALL THE PACKAGES Red Hat puts in their distro. Someone has to sit down and do that. And that takes time away from the bulk of their business - newer releases.

I certainly hope you find someone who will package patches for you. But if you don't have the time to upgrade, how do you have the time to package everything you're running? I have the same problem with a box i work with. Users don't want downtime, now the box is so far out it needs to be taken off the network.

Can't blame Red Hat for that. It's not like they have the boundless resources of other companies. Having said that, though, there is no reason why the two dozen or so 6.2 users that are still around couldn't clammor with Red Hat to allow them to post a channel on RHN. They may not let you, but at least they'll know you're out there.

--mandi

Re:Department of Homeland (in)Security?

[Nonesuch]

From http://www.msnbc.com/news/880094.asp?0cv=CB10:

THE FLAW WAS ACTUALLY found in late December, but not revealed until today. That gave the Department of Homeland Security time to organize efforts that would protect against possible attacks, said Alan Paller, director of security research firm SANS.

In other words, it gave the spooks plenty of time to root Sendmail-based mail gateways operated by certain foreign governments, and domestic media organizations, starting with those not in lock-step with the adminstration on the necessity of war with Iraq.

$ nslookup -type=mx premier-ministre.gouv.fr
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
premier-ministre.gouv.fr preference = 10, mail exchanger = smtpin1.fr.uu.net
...

$ telnet smtpin1.fr.uu.net 25
Trying 195.129.12.155...
Connected to smtpin1.fr.uu.net.
Escape character is '^]'.
220 ahuumsmtpgw1.ams.ops.eu.uu.net ESMTP Sendmail 8.11.0/8.11.0; Tue, 4 Mar 2003 00:14:23 GMT
quit
221 2.0.0 ahuumsmtpgw1.ams.ops.eu.uu.net closing connection
Connection closed by foreign host.

$ echo "Merde!" | wall

Okay, that's probably not the best example.

Re:from 5.79

[MrChuck]

Umm, might it be that SENDMAIL has learned from the past?

In 1988, when the Morris worm hit, you could log into many systems as guest. We telnet'd everywhere.

So if your window (sendmail) is open, someone could walk in, but mostly we had no locks on the doors.

Since then, sendmail's undergone pretty freaking major rewrites.

The last remote exploit was 1997, AFAIK. Before postfix came out.

It offers MORE security in many ways.
I can use SMTP over SSL (TLS). Ask djb about support in qmail for that qmail patch. I've seen a few good rants from him about using qmail with any patches at all. You must use it unchanged from 1997.

patch your binary, move on. Just like last summer with SSL and SSH and Apache. Just like every week with Exchange.

Re:DJB is an ass.

[lars_stefan_axelsson]

DJB is also completely brilliant, which is probably the most significant reason most people have a hard time dealing with him.

No, that's the only reason people deal with him at all! Myself I choose to ignore him, Vietse Veenema is just as smart and a really nice guy to boot.