Sendmail flaw opens door to intruders

Unless people make recommended fixes, remote attackers could gain control to their systems.

A correction was made to this story. Read below for details.

A serious flaw exists in certain versions of the popular Sendmail open-source and commercial e-mail software, but fixes are available, researchers said Wednesday.

The vulnerability, which was reported by Mark Dowd at Internet Security Systems, could allow a remote attacker to take control of an e-mail server. To do this, the intruder would send arbitrary code at carefully crafted time intervals to the SMTP mail server, according to alerts from security providers ISS and FrSirt.

An attack could interfere with or intercept mail delivery, permit the intruder to tamper with other programs and data on the vulnerable system, and potentially provide access to other systems on the affected machine's network.

The flaw relates to all Linux- and Unix-based versions of Sendmail 8 up to version 8.13.5, but not Microsoft Windows varieties of the open-source software, said the Sendmail Consortium, which oversees the project. Affected products put out by Sendmail Inc., which sells a commercial version, include Sendmail Switch, Sentrion and Advanced Message Server, according to a company alert.

Sendmail software delivers 70 percent of the world's e-mail messages, according to the consortium's estimates.

"Since SMTP is one of the few listening services allowed consistently through perimeter firewalls, we expect that many attackers will focus their efforts on developing techniques to exploit the vulnerability in order to gain entry into corporate and government networks," considered to be major Sendmail users, said Gunter Ollmann, director ISS's X-Force research team.

The threat analyst team at Symantec categorized the vulnerability as critical, meaning it has a significant chance of widespread exploitation.

A Sendmail Inc. representative said Wednesday that no exploits for the vulnerability have been reported, and noted that the flaw has been detected in the lab only.

However, the Sendmail Consortium strongly urged open-source users to upgrade to version 8.13.6 of the software, which contains a fix and is available through its Web site. Patches for two older versions of the software are also available for download, but the group discouraged that tactic, warning that the patches may not work properly.

For people who use the commercial software, a complete rundown of recommended actions is available through the Sendmail company advisory.

The incident isn't the first problem for the widely used software. Security researchers in 2003 identified a series of vulnerabilities.

 

Correction: This story incorrectly described what kind of system was at risk from an attack based on the Sendmail flaw. An intruder could take over e-mail servers using the flaw.
Featured Video
Close
Drag