Critical Sendmail Vulnerability, Updates available

 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1  SANS Alert 2003-03-03 Critical vulnerability in all versions of SENDMAIL Plus a Snort Vulnerability  And an invitation to a web broadcast on the vulnerabilities  The Sendmail Vulnerability What systems are affected? UNIX and Linux Systems running sendmail - probably even those that are not mail servers. Level: CRITICAL - affords root or superuser access when sendmail is running with those privileges.  A new critical vulnerability has been discovered in Sendmail. The UNIX and Linux vendors have been working feverishly to get a patch ready and most are available now.  Sendmail is too big a target for attackers to ignore, so it makes sense to act immediately to protect your systems.  In this note you will find: (1) The invitation to the webcast covering both vulnerabilities (2) DHS/NIPC Advisory 03-004 Remote Sendmail Header Processing     Vulnerability (3) A description of what government and industry did to try to     mitigate damage from this newly discovered vulnerability. (4) The Department of Homeland Security Alert on the Snort     Vulnerability  ******************************************************** SANS Web Broadcast (free) on the Sendmail Vulnerability and the Snort Vulnerability  Date: March 3, 2003 (today) Time: 7 PM EST (0000 UTC) Register at:   There is an absolute limit of 2,000 people on the live program to ensure quality audio, but the archive will be available about 5 hours later for anyone who does not get a reservation.  Featuring the ISS X-Force folks (ISS discovered the vulnerability), Hal Pomeranz (sendmail expert) and Marty Roesch, author of Snort, will brief you on the Snort vulnerability.  Below you'll find the Department of Homeland Security advisory followed by a brief description of what happened behind the scenes inside the government followed by the DHS Snort vulnerability alert.  *********************************************************************** Here's the DHS/NIPC Advisory  Remote Sendmail Header Processing Vulnerability  SUMMARY:  The Department of Homeland Security (DHS), National Infrastructure Protection Center (NIPC) is issuing this advisory to heighten awareness of the recently discovered Remote Sendmail Header Processing Vulnerability (CAN-2002-1337). NIPC has been working closely with the industry on vulnerability awareness and information dissemination.  The Remote Sendmail Header Processing Vulnerability allows local and remote users to gain almost complete control of a vulnerable Sendmail server. Attackers gain the ability to execute privileged commands using super-user (root) access/control. This vulnerability can be exploited through a simple e-mail message containing malicious code. Sendmail is the most commonly used Mail Transfer Agent and processes an estimated 50 to 75 percent of all Internet e-mail traffic. System administrators should be aware that many Sendmail servers are not typically shielded by perimeter defense applications. A successful attacker could install malicious code, run destructive programs and modify or delete files.  Additionally, attackers may gain access to other systems thru a compromised Sendmail server, depending on local configurations. Sendmail versions 5.2 up to 8.12.8 are known to be vulnerable at this time.  DESCRIPTION:  The Remote Sendmail Header Processing Vulnerability is exploited during the processing and evaluation of e-mail header fields collected during an SMTP transaction. Examples of these header fields are the "To", "From" and "CC" lines. The crackaddr() function in the Sendmail headers.c file allows Sendmail to evaluate whether a supplied address or list of addresses contained in the header fields is valid. Sendmail uses a static buffer to store processed data. It detects when the static buffer becomes full and stops adding characters. However, Sendmail continues processing data and several security checks are used to ensure that characters are parsed correctly. The vulnerability allows a remote attacker to gain access to the Sendmail server by sending an e-mail containing a specially crafted address field which triggers a buffer overflow.  RECOMMENDATION: Due to the seriousness of this vulnerability, the NIPC is strongly  recommending that system administrators who employ Sendmail take this  opportunity to review the security of their Sendmail software and to  either upgrade to Sendmail 8.12.8 or apply the appropriate patch for  older versions as soon as possible. Patches for the vulnerability are available from Sendmail, from ISS who  discovered the vulnerability and from vendors whose applications  incorporate Sendmail code, including IBM, HP, SUN, Apple and SGI. Other  vendors will release patches in the near future. The primary distribution site for Sendmail is: https://www.proofpoint.com/us/products/email-protection/open-source-email-solution Patches and information are also available from the following sites: The ISS Download center  IBM Corporation https://www.ibm.com/mysupport/s/ Hewlett-Packard , Co. http://www.hp.com Silicon Graphics Inc.  Apple Computer, Inc. https://www.apple.com/ Sun Microsystems, Inc. https://www.oracle.com/it-infrastructure/ Common Vulnerabilities and Exposure (CVE) Project https://cve.mitre.org/  As always, computer users are advised to keep their anti-virus and  systems software current by checking their vendor's web sites frequently  for new updates and to check for alerts put out by the DHS/NIPC,  CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages  recipients of this advisory to report computer intrusions to their local  FBI office () and other appropriate  authorities. Recipients may report incidents online to  . The DHS/NIPC Watch and Warning  Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.   ====  Background on government/industry cooperation to mitigate damage  The Sendmail Vulnerability Announced Today, March 3, 2003 How Well Did The Cyber Defense Community Do?  Today, hundreds of thousands of people learned of a vulnerability in the sendmail program which is widely used for Internet mail handling. A vulnerability in such a widely used open source software program presents difficult challenges for the cyber defense community - including the need to get more than twenty different software organizations to act quickly and silently to develop patches.  Three primary actions are required to respond effectively to such a vulnerability:  1. Verify that the vulnerability exists and is important. 2. Contact the key technical personnel at each of the software companies and other groups that distribute sendmail (either alone or with other software) and ensure that they develop and test patches and make them ready for widespread distribution. 3. Plan and execute an early warning and distribution strategy that enables critical infrastructure organizations in the US and in partner countries to be prepared for rapid deployment of the patches once they are ready.  This must be accomplished without leaking data about the vulnerability to the black hat community that exploits such vulnerabilities by creating worms like Code Red, Slapper, and Slammer.  When possible, several other actions may be appropriate:   4. Provide military and other very sensitive organizations with early access to the patches so their systems can be protected even before public disclosure of the vulnerability. 5. Use sensor networks with smart filters to test for exploitation. 6. Develop and distribute filters that can block the offending packets to protect systems that cannot or will not install patches immediately.  On Saturday, March 1, 2003, the US Department of Homeland Security became fully operational, although the elements of the new department had been working together for several weeks.  In cybersecurity, the new Department brings together four highly visible cybersecurity agencies: (1) The National Infrastructure Protection Center from the FBI, (2) FedCIRC from the General Services Administration, (3) the National Communications System program from the US Department of Defense, and (4) the Critical Infrastructure Assurance Office from the Department of Commerce.  Today's disclosure of a vulnerability in sendmail offers the opportunity to see how quickly and effectively the cyber defense community, led by this new Department, can respond to important threats.  Sendmail's vulnerability offers a legitimate test because sendmail handles a large amount of Internet mail traffic and is installed on at least 1.5 million Internet-connected systems. More than half of the large ISPs and Fortune 500 companies use sendmail, as do tens of thousands of other organizations. A security hole in sendmail affects a lot of people and demands their immediate attention.  You can draw your own conclusion on how well the problem is being handled. Here are the facts:  1. On Friday, February 14, telephone calls to the Department of Homeland Security (DHS) and the White House Office of Cyberspace Security alerted the US government to a suspected sendmail vulnerability. The source of the data was Internet Security Systems (ISS), a well-respected security firm with solid security research credentials, giving the data an initial base level of credibility. However, to be more certain, DHS technical experts reviewed the details of the vulnerability and especially the tests that ISS had run to prove the existence and severity of the vulnerability. They were convinced.  2. Almost immediately the DHS/White House team, working with ISS, contacted vendors that distribute sendmail, including Sun, IBM, HP, and SGI, as well as the Sendmail Consortium, the organization that develops the open source version of sendmail that is the core of sendmail distributed with both free and commercial operating systems. Partially because of government involvement, but primarily because the vulnerability involved the widely used sendmail package, the vendors immediately started working together on patches.  3. The DHS/White House staff contacted and shared what they knew with the US Department of Defense and the Federal CIO Council. Through the Federal CIO Council, the US FedCIRC and US Office of Management and Budget were added to the coordinating team. Together the government planners, ISS, and the vendors developing patches worked out a plan for public dissemination of the vulnerability information and patch distribution.  4. To help ensure that the open source LINUX and BSD distributions (Red Hat, SUSE, OpenBSD, etc.) developed patches, the Computer Emergency Response Team at Carnegie Mellon University (CERT/CC) was brought into the project. CERT/CC deployed its formalized process to inform the LINUX and BSD distribution developers and to assist them in getting the corrected source code and any additional knowledge needed to create the patch. CERT/CC (which is funded, in part, by two organizations being merged into DHS and by the DoD) also created an advisory to educate system administrators and the security community in general on the vulnerability, on which systems are affected, and on where to get the patches for each affected system.  5. Some of the large commercial vendors developed the patches very quickly, but the delayed notice to smaller sources of sendmail distributions and limited resources at those organizations meant that not all the patches would be ready by early in the week of February 23. The coordinating group faced a decision of whether to release data about the exploit before most patches were ready or to wait. The answer depended on whether they had reason to believe an exploit was already being used by attackers. They had two sources of information that led them to conclude waiting an extra week was acceptable. First, people who monitored the hacker discussion groups reported that this vulnerability did not seem to be one that was being discussed. Second, the organization that discovered the vulnerability, ISS, had deployed sensors for the exploit in a number of places around the world. Those sensors were showing no exploits. Based on both sets of data, the coordination group decided to schedule the announcement for Monday, March 3. A second-order reason to schedule a Monday announcement was that some members of the team believed that Monday-Tuesday announcements generate more rapid and complete patching than announcements made late in the week.  6. Since some of the patches were ready, the coordination group decided to provide what was available to the US DoD so that military sites could have the protection as early as possible. The military distributions took place on or around February 25 and 26.  7. On February 27 and 28, government groups in the US and in several other countries were given early warnings, without details about how the vulnerability could be exploited, to help them plan for rapid deployment of the patches when they were released on March 3. In addition to the Chief Information Officers of US Cabinet level departments, and the directors or deputy directors of national cyber security offices in several other countries, the officers of the critical infrastructure Information Sharing And Analysis Centers (ISACs) were also briefed so they could be ready for rapid information distribution to commercial organizations such as banks and utilities, that comprise the critical infrastructure.  8. On March 3, beginning about 10 am EST, alerts began flowing to federal agencies from FedCIRC and to the critical infrastructure companies from the ISACs. At noon, ISS released their advisory, followed by CERT/CC's general release. Once the data was public, the SANS Institute also issued a release and scheduled free web-based education programs.  ====  DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability   The Department of Homeland Security (DHS), National Infrastructure Protection Center (NIPC) has been informed of a recently discovered serious vulnerability in Snort, a widely used Intrusion Detection System, IDS.  DHS/NIPC has been working closely with the Internet security industry on vulnerability awareness and is issuing this advisory in conjunction with public announcements.  Snort is available in open source and commercial versions form Sourcefire, a privately held company headquartered in Columbia, MD. Details are available from Sourcefire.  See Snort Vulnerability Advisory [SNORT-2003-001].  The affected Snort versions include all version of Snort from version 1.8 through current.  Snort 1.9.1 has been released to resolve this issue.  The vulnerability was discovered by Internet Security Systems (ISS), and is a buffer overflow in the Snort Remote Procedure Call, RPC, normalization routines.  This buffer overflow can cause snort to execute arbitrary code embedded within sniffed network packets. Depending upon the particular implementation of Snort this may give local and remote users almost complete control of a vulnerable machine. The vulnerability is enabled by default.  Mitigation instructions for immediate protections prior to installing patches or upgrading are described in the Snort Vulnerability Advisory.  Due to the seriousness of this vulnerability, the DHS/NIPC strongly recommends that system administrators or security managers who employ Snort take this opportunity to review their security procedures and patch or upgrade software with known vulnerabilities.  Sourcefire has acquired additional bandwidth and hosting to aid users wishing to upgrade their Snort implementation. Future information can be found at: https://www.cisco.com/site/us/en/products/security/index.html  As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates and to check for alerts put out by the DHS/NIPC, CERT/CC, ISS and other cognizant organizations.  The DHS/NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office () and other appropriate authorities.  Recipients may report incidents online to .  The DHS/NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.   == end == -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)  iD8DBQE+Y7oL+LUG5KFpTkYRAh6ZAJ9oWXqnCwZyP4Wxla1HUbMOcjdlSwCfboS8 wnLCqqyaA0+Dpcn9gUI7yxo= =cIQn -----END PGP SIGNATURE-----