of Homeland Security
National Infrastructure Protection Center
"Remote Sendmail Header Processing Vulnerability"
Common Vulnerabilities and Exposures (CVE) CAN-2002-1337
March 3, 2003
The Department of Homeland Security (DHS),
National Infrastructure Protection Center (NIPC) is issuing
this advisory to heighten awareness of the recently discovered
Remote Sendmail Header Processing Vulnerability (CAN-2002-1337).
NIPC has been working closely with the industry on vulnerability
awareness and information dissemination.
Remote Sendmail Header Processing Vulnerability allows
local and remote users to gain almost complete control
of a vulnerable Sendmail server. Attackers gain the ability
to execute privileged commands using super-user (root)
access/control. This vulnerability can be exploited through
a simple e-mail message containing malicious code. Sendmail
is the most commonly used Mail Transfer Agent and processes
an estimated 50 to 75 percent of all Internet e-mail traffic.
System administrators should be aware that many Sendmail
servers are not typically shielded by perimeter defense
applications. A successful attacker could install malicious
code, run destructive programs and modify or delete files.
attackers may gain access to other systems thru a compromised
Sendmail server, depending on local configurations. Sendmail
versions 5.2 up to 8.12.8 are known to be vulnerable at
Remote Sendmail Header Processing Vulnerability is exploited
during the processing and evaluation of e-mail header
fields collected during an SMTP transaction. Examples
of these header fields are the "To", "From"
and "CC" lines. The crackaddr() function in
the Sendmail headers.c file allows Sendmail to evaluate
whether a supplied address or list of addresses contained
in the header fields is valid. Sendmail uses a static
buffer to store processed data. It detects when the static
buffer becomes full and stops adding characters. However,
Sendmail continues processing data and several security
checks are used to ensure that characters are parsed correctly.
The vulnerability allows a remote attacker to gain access
to the Sendmail server by sending an e-mail containing
a specially crafted address field which triggers a buffer
Due to the seriousness of this vulnerability, the NIPC
is strongly recommending that system administrators who
employ Sendmail take this opportunity to review the security
of their Sendmail software and to either upgrade to Sendmail
8.12.8 or apply the appropriate patch for older versions
as soon as possible.
Patches for the vulnerability are available from Sendmail,
from ISS who discovered the vulnerability and from vendors
whose applications incorporate Sendmail code, including
IBM, HP, SUN, Apple and SGI. Other vendors will release
patches in the near future.
The primary distribution site for Sendmail is: http://www.sendmail.org
Patches and information are also available from the following
The ISS Download center http://www.iss.net/download
IBM Corporation http://www.ibm.com/support/us/
Hewlett-Packard , Co. http://www.hp.com
Silicon Graphics Inc. http://www.sgi.com
Apple Computer, Inc. http://www.apple.com/
Sun Microsystems, Inc. http://www.sun.com/service/support/
Common Vulnerabilities and Exposure (CVE) Project http://www.CVE.mitre.org
always, computer users are advised to keep their anti-virus
and systems software current by checking their vendor's
web sites frequently for new updates and to check for
alerts put out by the DHS/NIPC, CERT/CC, ISS and other
cognizant organizations. The DHS/NIPC encourages recipients
of this advisory to report computer intrusions to their
local FBI office (http://www.fbi.gov/contact/fo/fo.htm)
and other appropriate authorities. Recipients may report
incidents online to http://www.nipc.gov/incident/cirr.htm.
The DHS/NIPC Watch and Warning Unit can be reached at
(202) 323-3204/3205/3206 or email@example.com.