ISS Discovers A Remote Hole In Sendmail 481
randal writes "A security vulnerability in the Sendmail Mail Transfer Agent (MTA) has
been identified by ISS. This bug can
give an attacker the ability to gain remote root access to the
targeted system. There is no known exploit code of this vulnerability in
the wild at this time, but everyone should upgrade immediately. This
issue affects all versions since 5.79. Open Source sendmail users can
get source for the newest version (8.12.8) as well as patches for 8.9,
8.11, and 8.12 from
sendmail.org.
Commercial Sendmail customers can find patches at
sendmail.com/security.
Most major OS vendors will be releasing patches immediately." Update: 03/03 19:23 GMT by T : Reader Patchlevel points out that RedHat and OpenBSD have already issued patches.Update: 03/03 20:45 GMT by T : Reader Claude Meyer links to an update from SuSE, too. Update: 03/03 22:52 GMT by T : djcatnip points out that Apple has released a software update to patch OpenSSL and Sendmail for Mac OS X 10.2.4, and the Slackware site says they have updated to 8.12.8 as well.
RedHat Network Rules (Score:5, Interesting)
OpenBSD? (Score:2, Interesting)
Not bad once you think about it.
- Eric
Re:Cross Upgrade to QMail (Score:5, Interesting)
I can't set up per-user mail filtering with different tools (some of my users like maildrop, some still have working procmailrc recipes that they don't want to ever have to touch again, and that means not converting to maildrop), the MySQL backend is shitty and doesn't support per-user procmailrc files anyway (for vhosting setups, which is the only place it's really useful).
qmail really is the shit. It's a bit more finicky to install, yes, but the documentation for installation is good, and I've never had to touch a running qmail server except for the rare occasion when it ran out of disk space. qmail is very much a 'set-up and forget' technology; I have qmail servers that I haven't needed to patch for ANY sort of exploits for years.
Postfix is only slightly more flexible in some ways (for example, the MySQL backend) but those ways aren't difficult to integrate into qmail; it's just that nobody's bothered to do it yet. Also, djb's daemontools suite makes running Courier bearable.
Running Mail As Root Long Considered Harmful (Score:5, Interesting)
Leave aside the issues of whether it's safe to run a massive program written in C with annually discovered buffer overflow exports, or the usual sendmail-basher fun about the need for Turing-machine-complete config files. If you don't want to get rooted, don't run stuff as root. Bad enough that it's possible to get rooted by non-privileged processes that leave trojans around where root can be tricked into running them, or use non-root processes to read files that maybe they shouldn't be reading (e.g. tricking a group-mail MTA into reading people's mailboxes.)
Re:ISS? (Score:2, Interesting)
Note the directory.. `mktg'. Sounds like marketing to me.
Re:Running Mail As Root Long Considered Harmful (Score:5, Interesting)
Why not take the SecureOS approach, and run the SMTP listener in a restricted capabilities role, where all your SMTPd can do is "accept()" TCP sessions on port 25, request DNS lookups, and queue messages to disk?
Most of my machines are on a non-capability-enabled OS, so I run qmail-smtpd in a chroot environment as a non-root UID. I've tried to take the same approach with Sendmail, but it requires considerably more effort and more system resources (launching new 'sendmail' instances from tcpserver is one culprit).
Re:Cross Upgrade to QMail (Score:3, Interesting)
QMail is fine for a four- or five-user machine, but the installations who currently require Sendmail's power for their mail service needs would likely be happier with Postfix [postfix.org]. It's far more powerful than QMail, while still being easy to set up and use.
My 40000 users qmail servers are running very well. Never been down once in 6 month and currently serving 100k messages a day. And thats on only two mail servers. So what is so technicaly wrong with qmail?
Re:Cross Upgrade to QMail (Score:5, Interesting)
from 5.79 (Score:1, Interesting)
Anyone else notice this from the ISS advisory:
One thing that all the sendmail nay-sayers should keep in mind is that all the more recent SMTP mailers came after sendmail.
They were able to learn from the mistakes of the past. It's very easy to beat down, but sendmail has to carry a lot of backwards compatibility. It's all very well to say "go to such-and-such mailer", but for many organizations who've been running sendmail for years (decades?) the issue may not be so clear cut. (This is not to say that the critics are wrong, just to keep things in perspective.)
To tell you how old this is, do a search for "sendmail +5.79 +release" in Google.Groups: you'll get a 1992-05-29 message about the release of Sendmail 5.67, asking about whether it's a part of 4.4BSD (not [Free|Net|Open]BSD).
None of the other mailers have had a decades long history (whether that be history be good or bad).
Re:Cross Upgrade to QMail (Score:3, Interesting)
Sendmail is version 8.12.8, released last month. qmail is version 1.03, and has been for well over four YEARS.
What's technically wrong with sendmail? Apparently, a whole BUNCH of stuff.
Re:Cross Upgrade to QMail (Score:3, Interesting)
This is not necessarily true [cr.yp.to]. Qmail has officially supported tools to make it look indistinguishable from sendmail for 90% of all users. (e.g. support ".forward" files and
Qmail is not Free Software
This is true. Personally I think it's idiotic to consider that to be a "moral" issue, but whatever: assess your needs and choose the appropriate tool.
Wietse Venema is a better human being (aka not a hypocrite) like djb. For those reasons, I will never use qmail, and I advise all others to not use qmail.
This is stupid.
Eric Allman is a nicer guy than Wietse and Dan put together. Hell, probably nicer than the product of Dan's congeniality to the power of Wietse's social skills. I've hung out with him at Usenix conferences, and if I lived in the same area I'd probably invite him to parties.
I still wouldn't run sendmail on a bet.
DJB is an abrasive asshole. I've called him a sociopath directly on at least one occasion. I wouldn't want to be trapped at a cocktail party with him, and if I had a daughter I wouldn't want to date her.
I still ran qmail at companies that I had actual money invested in, because the code is that good.
Cutting off your nose to spite your face is stupid when you're the person who'll get called at 3 in the morning when your box gets rooted. Pick software based on quality and utility, not personality.
(I'd call qmail and postfix to be about equally matched for quality, so it comes down to a question of features and style preference for me.)
Re:Cross Upgrade to QMail (Score:3, Interesting)
I should have been more clear. Postfix and qmail are (as you note) basically equivalent (there are edge cases where one is significantly better). Thus, when deciding which to use, I consider (among other things) which one I'd rather give the satisfaction of having his software be used. That person is Wietse.
Department of Homeland Security? (Score:5, Interesting)
THE FLAW WAS ACTUALLY found in late December, but not revealed until today. That gave the Department of Homeland Security time to organize efforts that would protect against possible attacks, said Alan Paller, director of security research firm SANS.
[...]
Paller also said the Department of Homeland Security has become more proactive in dealing with critical software flaws that might impact national security or the critical functions of the Internet. "The government got involved in Code Red not when the vendor announced the vulnerability, but when the worm hit. That's the wrong time for the government to get involved," he said. "The right time is now, and to use the bully pulpit so a larger percentage of machines get the fix.
Does the open-source world really need the assistance or oversight of the Department of Homeland Security? That's just sort of... creepy.
An up2date server clone... (Score:3, Interesting)
...is under development here [tigris.org].
Re:Since no one else will say it... (Score:3, Interesting)
Microsoft hasn't always been good about doing this, though, and has sometimes relied upon security via obscurity. But every single mass vulnerability exploited in the past year (especially things like Slammer) has made use of holes that were patched months or even YEARS ago. Pitiful admins are the ones to blame in these instances, not MS.
Re:Since no one else will say it... (Score:2, Interesting)
Specifics on the exploit? (Score:3, Interesting)
others as well."
Sounds to me like they only tested on x86, and assume that it's exploitable on other platforms (a reasonable assumption, but an assumption nonetheless). I run one of the "others" and want to know if my installation is vulnerable, since it is a significant effort to build, test and install an upgrade so quickly. Furthermore, I want to know if the update removes the vulnerability. It is not possible for me to do any of this without sample exploit code, or a utility to scan/test for it.
Can anyone provide me with information about this? Posters to Bugtraq have been reluctant to provide this information, but I require it.