X

Companies mobilize to patch Sendmail

A critical vulnerability in the Internet's most popular mail-server application has security experts and software companies moving quickly to convince customers to apply a patch.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
A critical vulnerability in Sendmail, the Internet's most popular mail-server application, had security experts and software companies moving quickly on Monday to convince customers to apply a patch.

The flaw allows an attacker to send a specially formatted e-mail that could take control of a mail server running Sendmail and execute a malicious program. At present, no attack tool that could exploit the vulnerability is known to exist, said Greg Olson, chairman and co-founder of Sendmail, the company that has created a commercial version of the software.

"You have to understand that this is a very arcane security issue," he said. "It has been present in Sendmail code for 15 years and that code has been through multiple inspections."

The flaw--ironically in a Sendmail security function--occurs when the mail program parses an overlong header. The vulnerability was first found in December by security software firm Internet Security Systems. The company notified Sendmail and the National Infrastructure Protection Center, a joint computer crime and security task force, on Jan. 13.

"This vulnerability is especially dangerous because the exploit can be delivered within an e-mail message and the attacker doesn't need any specific knowledge of the target to launch a successful attack," stated an ISS advisory released Monday.

Because the vulnerability is contained in an e-mail message, it will bypass firewalls and many intrusion detection systems, said Dan Ingsvaldson, team leader for ISS's vulnerability research group. Moreover, mail servers--also called mail transport agents (MTAs)--that aren't vulnerable will still forward the flaw-exploiting e-mail message onto its destination.

"The only dependency is that the domain needs to accept e-mail," Ingevaldson said.

The flaw is unrelated to a November break-in at the Sendmail Consortium's Web site.

Several companies, including Red Hat, IBM, SGI, Sun and Hewlett-Packard, released patches Monday. The Sendmail Consortium, the group responsible for development of the open-source Sendmail code, released Sendmail 8.12.8, an updated program that fixes the flaw.

"The key here is to get the word out and get it fixed before hackers get an exploit," said Sendmail's Olson. "You need to contact a lot of people and make sure they understand this is important and apply the patch."