NASIRC BULLETIN # 94-07 March 15, 1994 Security Vulnerability in Sendmail (8.6.6 or older) =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received notification of a new security vulnerability in all versions of sendmail 8.x prior to the current release (8.6.7), as well as several vendors' versions of sendmail. This problem does NOT appear in IDA sendmail. THE PROBLEM: According to the sendmail author, users could gain unauthorized root access by using certain unique values for the "-d" flag. FIXING THE PROBLEM: NASIRC strongly recommends that you install version 8.6.7 of sendmail immediately. The new sendmail package (binaries, config files, and instructions) is available via Anonymous FTP from nasirc.nasa.gov as listed below: -- For SunOS 4.1.3, look in /toolkits/UNIX/Sendmail/Sun_4_1_3 -- For Irix 4.0.x, look in /toolkits/UNIX/Sendmail/Irix_4_0_x -- For Solaris 2.x, look in /toolkits/UNIX/Sendmail/Solaris_2_x -- For Ultrix 4.x, look in /toolkits/DEC/Ultrix_4_x -- To build sendmail 8.6.7 from scratch, the source code can be found in the file /toolkits/UNIX/Sendmail/sendmail.8.6.7.tar.Z NASIRC will continue to monitor the situation and will post additional information as appropriate. If you have any questions on this subject, feel free to contact us at any of the venues listed below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: John Ray of the NASA Ames Research Center and David Curry of Purdue University for forwarding this information, and John Howells of the NASA Ames Research Center for creating the various builds of sendmail 8.6.7 on very short notice. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. Just ftp to nasirc.nasa.gov and login as anonymous. You will be required to enter your valid e-mail address. Once there you can access the following information: /toolkits ! contains automated toolkit software /bulletins ! contains NASIRC bulletins Information maintained in these directories is updated on a con- tinuous basis with relevant software and information. Contact the NASIRC Helpdesk for more information or assistance with tool kits or security measures. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".