More Headaches for Sendmail

The Sendmail Consortium, which manages deployment of the world’s most popular message transfer agent (MTA) to handle email, was left scrambling over the weekend to fix a remotely exploitable vulnerability that could allow an attacker to gain control of a unpatched sendmail server.

The vulnerability, discovered by Michal Zalewski, occurs because address parsing code in sendmail does not adequately check the length of email addresses. An email message with a specially crafted address could trigger a stack overflow. As a result, the vulnerability can be exploited to cause a denial-of-service condition and could allow a remote attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root, according to a CERT advisory issued over the weekend.

“Most organizations have a variety of mail transfer agents (MTAs) at various locations within their network, with at least one exposed to the Internet. Since sendmail is the most popular MTA, most medium-sized to large organizations are likely to have at least one vulnerable sendmail server. In addition, many UNIX and Linux workstations provide a sendmail implementation that is enabled and running by default,” CERT warned in its advisory.

Just on March 3, Sendmail posted a different patch to plug a “critical security problem” in header parsing.

And although the latest patch is just as critical, the disorganized manner in which the security warning was released left a bad taste in the mouths of many network administrators.

According to a discussion on Slashdot , somebody apparently jumped the gun by issuing the warning. As a result, Sendmail was left scrambling to get word out over the weekend, leaving the chance that many systems were left undefended and exposed to a vulnerability that crackers could exploit if they wanted to.

“We apologize for releasing this information today (2003-03-29) but we were forced to do so by an e-mail on a public mailing list which contains information about the security flaw,” Sendmail said in its posting. The patch can be found here.

Still, some admins had had enough.

“Sendmail: The IIS of Open Source,” one poster said on Slashdot, referring to the problem-plagued Microsoft web serving software. “This is the straw that breaks the camel’s back. I’m changing to another MTA.”