Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0144 -- IBM SECURITY ADVISORY sendmail buffer overflow vulnerability 04 March 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sendmail Vendor: IBM Operating System: AIX 5.2 AIX 5.1 AIX 4.3 Impact: Root Compromise Access Required: Remote Ref: AA-2003.01 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Fri Feb 21 11:00:00 CST 2003 =========================================================================== VULNERABILITY SUMMARY VULNERABILITY: sendmail buffer overflow vulnerability. PLATFORMS: AIX 4.3, 5.1 and 5.2 SOLUTION: Apply the workaround, efix or APARs as described below. THREAT: A remote attacker can exploit a buffer overflow to gain root privileges. CERT VU Number: 398025 CVE Number: n/a =========================================================================== DETAILED INFORMATION I. Description =============== Sendmail is a MTA (mail transfer agent) that routes mail for local or network delivery. When sendmail receives a message it translates the format of message headers to match the requirements of the destination system. The program determines the destination via the syntax and content of the address field in a message header. A vulnerability that exploits how message headers are parsed has been found. This vulnerability allows a remote attacker to gain root privileges. At this time, there is no known exploit in the wild for this vulnerability. The sendmail daemon runs on all versions of AIX by default. To determine if sendmail is running on your system execute the following: #lssrc -s sendmail If sendmail is running, the following will be displayed: Subsystem Group PID Status sendmail mail xxxx active Where xxxx is the pid of the sendmail process on your system. If sendmail is not installed, the system is not vulnerable. II. Impact ========== A remote attacker can gain root privileges. III. Solutions =============== A. Official Fix IBM provides the following fixes: APAR number for AIX 4.3.3: IY40500 (available approx. 03/12/2003) APAR number for AIX 5.1.0: IY40501 (available approx. 04/28/2003) APAR number for AIX 5.2.0: IY40502 (available approx. 04/28/2003) NOTE: Fixes will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3.3 or 5.1.0 at the latest maintenance level. B. E-fix Temporary fixes for AIX 4.3.3, 5.1.0, and 5.2.0 systems are available. The temporary fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z The efix compressed tarball contains three fixes: one each for AIX 4.3.3, AIX 5.1.0 and AIX 5.2.0. It also includes this Advisory and a README file with installation instructions. Verify you have retrieved this efix intact: - - - --------------------------------------------- There are 3 fix-files in this package for the 4.3.3, 5.1.0, 5.2.0 releases. The checksums below were generated using the "sum" and "md5" commands and are as follows: Filename sum md5 ================================================================= sendmail.433 61331 428 013f747e5a447e2dec777e2e840914a9 sendmail.510 34257 1059 5f282fd2a472c2d75c88c3c652312842 sendmail.520 45494 1007 88bcb028aab4625abe0257d3537a0813 These sums should match exactly; if they do not, double check the command results and the download site address. If those are OK, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. IMPORTANT: Create a mksysb backup of the system and verify it is both bootable, and readable before proceeding. These temporary fixes have not been fully regression tested; thus, IBM does not warrant the fully correct functioning of the efix. Customers install the efix and operate the modified version of AIX at their own risk. Efix Installation Instructions: - - - --------------------------------- Detailed installation instructions can be found in the README file supplied in the efix package. These instructions are summarized below. You need to have the following filesets installed. This ensures that the proper versions of co-requisite system files, such as libc.a, are installed: For AIX 4.3.3: bos.net.tcp.client.4.3.3.87 For AIX 5.1.0: bos.net.tcp.client.5.1.0.38 For AIX 5.2.0: bos.net.tcp.client.5.2.0.1 You can determine which fileset is installed by executing the following: # lslpp -L bos.net.tcp.client 1. Create a temporary efix directory and move to that directory. # mkdir /tmp/efix # cd /tmp/efix 2. Move the efix to /tmp/efix, uncompress it and un-tar the resulting tarfile. Move to the fix directory. # cp PATH_TO_ADVISORY /tmp/efix # where PATH_TO_ADVISORY is the fully # qualified path to the efix package. # uncompress sendmail_efix.tar.Z # tar xvf sendmail_efix.tar # cd sendmail_efix 3. Rename the patched binary files appropriate for your system and set ownership and permissions. # mv sendmail.xxx sendmail # where xxx is 433, 510 or 520 # chown root.system sendmail # chmod 6551 sendmail 4. Create a backup copy of original binary. Remove all permissions from the backup copy. # cd /usr/sbin # cp sendmail sendmail.orig # chmod 0 sendmail.orig 5. Stop sendmail. # stopsrc -s sendmail 6. Replace the current system binary with the patched binary. Use the -p option to preserve the file permissions set in step 3. # cp -p /tmp/efix/sendmail_efix/sendmail /usr/sbin/sendmail 7. Restart sendmail. # startsrc -s sendmail -a "-bd -q15" The -bd flag starts sendmail as a daemon running in the background as a Simple Mail Transfer Protocol (SMTP) mail router. The -q15 flag tells the sendmail daemon to process the queue every 15 minutes. It may be desirable to initialize sendmail differently on the system being patched. Modify the flags accordingly. C. Workaround Turn sendmail off. You can do this by executing the following: # stopsrc -s sendmail Note that legitimate requests to sendmail will fail. If this is not feasible in your environment, please apply the efix as described in Section III B. IV. Obtaining Fixes =================== IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://techsupport.services.ibm.com/rs6k/fixes.html or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. AIX APARs may also be downloaded from the web from the following URLs. For 4.3.3 APARs: http://techsupport.services.ibm.com/rs6k/fixdb.html For 5.1.0 APARs: http://techsupport.services.ibm.com/server/aix.fdc For 5.2.0 APARs: http://techsupport.services.ibm.com/server/aix.fdc To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send email to "aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the "Subject:" line. V. Acknowledgments ================== The AIX Security Team would like to thank Sendmail, Inc. for bringing this issue to our attention. This document was written by Shiva Persaud. VI. Contact Information ======================== Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to encrypt new AIX security vulnerabilities, send email to security-alert@austin.ibm.com with a subject of "get key". If you would like to subscribe to the AIX security newsletter, send a note to aixserv@austin.ibm.com with a subject of "subscribe Security". To cancel your subscription, use a subject of "unsubscribe Security". To see a list of other available subscriptions, use a subject of "help". Please contact your local IBM AIX support center for any assistance. IBM and AIX are a registered trademark of International Business Machines Corporation. All other trademarks are property of their respective holders. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (AIX) iD8DBQE+X4kXcnMXzUg7txIRAreuAJ9OSMBqFr5gcFeMU5cKvUyp96x0HQCbB8Mj e6Mv6kU+Kxnxn8NziSeQHQM= =8CpD - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPmTSgSh9+71yA2DNAQEdrwP5AaxdFsp/6s6hzxDhZjFDVt1z73yO4ugO BK6W4xk+Rc1Y7yX/wyaSKn0O7wHGxqPujeYBSi/9aV6FkKrDIhK7S9GgHX4YN1u8 8WKjQ8WLF8PUF/r2VaTkws1H9YHBKEIdsN3Gr4mRsZyvmKaqTIVfARmOTJ8JQxtQ EBUSt1fkmvQ= =5WUY -----END PGP SIGNATURE-----