[Dshield] critical sendmail problem.

Danny danny at eboundary.com
Mon Mar 3 18:40:10 GMT 2003

Hash: SHA1

Any one have any technical info on this? 

Does it *only* effect systems with sendmail listening and accepting mail
from the world, or are you vulnerable if you allow users to send mail
from local accounts? 

Network Security Engineer

|->-----Original Message-----
|->From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
|->Behalf Of Johannes Ullrich
|->Sent: Monday, March 03, 2003 12:21 PM
|->To: list at dshield.org
|->Subject: [Dshield] critical sendmail problem.
|->> Internet Security Systems Security Advisory
|->> March 3, 2002
|->> Remote Sendmail Header Processing Vulnerability
|->> Synopsis:
|->> ISS X-Force has discovered a buffer overflow vulnerability in the
|->> Sendmail
|->> Mail Transfer Agent (MTA). Sendmail is the most common MTA and has
|->> been
|->> documented to handle between 50% and 75% of all Internet email
|->> traffic.
|->> Impact:
|->> Attackers may remotely exploit this vulnerability to gain "root" or
|->> superuser
|->> control of any vulnerable Sendmail server. Sendmail and all other
|->> email
|->> servers are typically exposed to the Internet in order to send and
|->> receive
|->> Internet email. Vulnerable Sendmail servers will not be protected
|->> legacy
|->> security devices such as firewalls and/or packet filters. This
|->> vulnerability
|->> is especially dangerous because the exploit can be delivered within
|->> email
|->> message and the attacker doesn't need any specific knowledge of the
|->> target to
|->> launch a successful attack.
|->> Affected Versions:
|->> Sendmail versions from 5.79 to 8.12.7 are vulnerable
|->> Note: The affected versions of Sendmail commercial, Sendmail open
|->> source
|->> running on all platforms are known to be vulnerable.
|->> For the complete ISS X-Force Security Advisory, please visit:
|->> ______
|->> About Internet Security Systems (ISS)
|->> Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is
|->> pioneer and world leader in software and services that protect
|->> critical
|->> online resources from an ever-changing spectrum of threats and
|->> Internet Security Systems is headquartered in Atlanta, GA, with
|->> additional operations throughout the Americas, Asia, Australia,
|->> and the Middle East.
|->> Copyright (c) 2003 Internet Security Systems, Inc. All rights
|->> worldwide.
|->> Permission is hereby granted for the electronic redistribution of
|->> document. It is not to be edited or altered in any way without the
|->> express written consent of the Internet Security Systems X-Force.
|->> you wish to reprint the whole or any part of this document in any
|->> other
|->> medium excluding electronic media, please email xforce at iss.net for
|->> permission.
|->> Disclaimer: The information within this paper may change without
|->> notice.
|->> Use of this information constitutes acceptance for use in an AS IS
|->> condition. There are NO warranties, implied or otherwise, with
|->> to
|->> this information or its use. Any use of this information is at the
|->> user's risk. In no event shall the author/distributor (Internet
|->> Security
|->> Systems X-Force) be held liable for any damages whatsoever arising
|->> of or in connection with the use or spread of this information.
|->> X-Force PGP Key available on MIT's PGP key server and PGP.com's key
|->> server,
|->> as well as at <http://www.iss.net/security_center/sensitive.php>
|->> Please send suggestions, updates, and comments to: X-Force
|->> xforce at iss.net of Internet Security Systems, Inc.
|->list mailing list
|->list at dshield.org
|->To change your subscription options (or unsubscribe), see:

Version: PGP 8.0


More information about the list mailing list