IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

NIPC Seal National Infrastructure Protection Center
NIPC Seal CyberNotes

Department of Homeland Security

National Infrastructure Protection Center
"Remote Sendmail Header Processing Vulnerability"
Common Vulnerabilities and Exposures (CVE) CAN-2002-1337
Advisory 03-004

March 3, 2003

The Department of Homeland Security (DHS), National Infrastructure Protection Center (NIPC) is issuing this advisory to heighten awareness of the recently discovered Remote Sendmail Header Processing Vulnerability (CAN-2002-1337). NIPC has been working closely with the industry on vulnerability awareness and information dissemination.

The Remote Sendmail Header Processing Vulnerability allows local and remote users to gain almost complete control of a vulnerable Sendmail server. Attackers gain the ability to execute privileged commands using super-user (root) access/control. This vulnerability can be exploited through a simple e-mail message containing malicious code. Sendmail is the most commonly used Mail Transfer Agent and processes an estimated 50 to 75 percent of all Internet e-mail traffic. System administrators should be aware that many Sendmail servers are not typically shielded by perimeter defense applications. A successful attacker could install malicious code, run destructive programs and modify or delete files.

Additionally, attackers may gain access to other systems thru a compromised Sendmail server, depending on local configurations. Sendmail versions 5.2 up to 8.12.8 are known to be vulnerable at this time.

The Remote Sendmail Header Processing Vulnerability is exploited during the processing and evaluation of e-mail header fields collected during an SMTP transaction. Examples of these header fields are the "To", "From" and "CC" lines. The crackaddr() function in the Sendmail headers.c file allows Sendmail to evaluate whether a supplied address or list of addresses contained in the header fields is valid. Sendmail uses a static buffer to store processed data. It detects when the static buffer becomes full and stops adding characters. However, Sendmail continues processing data and several security checks are used to ensure that characters are parsed correctly. The vulnerability allows a remote attacker to gain access to the Sendmail server by sending an e-mail containing a specially crafted address field which triggers a buffer overflow.

Due to the seriousness of this vulnerability, the NIPC is strongly recommending that system administrators who employ Sendmail take this opportunity to review the security of their Sendmail software and to either upgrade to Sendmail 8.12.8 or apply the appropriate patch for older versions as soon as possible.

Patches for the vulnerability are available from Sendmail, from ISS who discovered the vulnerability and from vendors whose applications incorporate Sendmail code, including IBM, HP, SUN, Apple and SGI. Other vendors will release patches in the near future.

The primary distribution site for Sendmail is: http://www.sendmail.org

Patches and information are also available from the following sites:

The ISS Download center        http://www.iss.net/download
IBM Corporation                     http://www.ibm.com/support/us/
Hewlett-Packard , Co.             http://www.hp.com
Silicon Graphics Inc.               http://www.sgi.com
Apple Computer, Inc.              http://www.apple.com/
Sun Microsystems, Inc.          http://www.sun.com/service/support/
Common Vulnerabilities and Exposure (CVE) Project     http://www.CVE.mitre.org

As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates and to check for alerts put out by the DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.