sendmail
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01953398
Version: 2
HPSBUX02495 SSRT090151 rev.2 - HP-UX Running sendmail, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-12-08
Last Updated: 2010-01-14
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02009860
Version: 2
HPSBUX02508 SSRT100007 rev.2 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-04-20
Last Updated: 2010-04-20
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02009860
Version: 2
HPSBUX02508 SSRT100007 rev.2 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-04-20
Last Updated: 2010-04-20
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01953398
Version: 1
HPSBUX02495 SSRT090151 rev.1 - HP-UX Running sendmail, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-12-08
Last Updated: 2009-12-07
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02009860
Version: 1
HPSBUX02508 SSRT100007 rev.1 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-03-24
Last Updated: 2010-03-24
Whether a program may have the plaintext injection flaw depends on
how it adjusts the plumbing, as it inserts the TLS protocol layer
in-between the SMTP protocol layer and the O/S TCP/IP protocol
layer. I illustrate this with examples from three open source MTAs:
Postfix, Sendmail and Exim. The diagram below is best viewed with
a fixed-width font, for example, from the Courier family.
Postfix MTA Sendmail MTA Exim MTA
before/after before/after before/after
switch to TLS switch to TLS switch to TLS
php_flag name on|off
Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives.
mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode
http://pl.php.net/manual/en/configuration.changes.php
- --- 1. htaccess safemode and open_basedir Bypass Vulnerability per mail.force_extra_parameters ---
Mandriva Linux Security Advisory MDVSA-2010:003
http://www.mandriva.com/security/
_______________________________________________________________________
Package : sendmail
Date : January 11, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
Enterprise Server 5.0, Multi Network Firewall 2.0
_______________________________________________________________________
Debian Security Advisory DSA-1985-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
January 31, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : sendmail
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-4565
Debian bug : 564581
- F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Exchange (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
- F-PROT Milter - for example sendmail (High: complete bypass of engine)
- F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine)
- F-Prot Antivirus for Linux x86 Workstations (unknown)
OEM Partners affected :
- Autentium (all versions)
# F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine)
# F-PROT Antivirus for Exchange (High: complete bypass of engine)
# F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
# F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
# F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
# F-PROT Milter - for example sendmail (High: complete bypass of engine)
# F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine)
# F-Prot Antivirus for Linux x86 Workstations (unknown)
OEM Partners affected :
- Autentium (all)
a form of shared library.
Description:
A remotely exploitable vulnerability has been found in clamav-milter
when used with sendmail. In detail, the following flaw was determined:
- Arbitrary code execution due to insecure call to popen()
Impact:
- F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Exchange (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
- F-PROT Milter - for example sendmail (High: complete bypass of engine)
- F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine)
- F-Prot Antivirus for Linux x86 Workstations (unknown)
OEM Partners affected :
- Autentium (all versions)
- F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Exchange (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
- F-PROT Milter - for example sendmail (High: complete bypass of engine)
- F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine)
- F-Prot Antivirus for Linux x86 Workstations (unknown)
OEM Partners affected :
- Autentium (all versions)
Dear bruhns@recurity-labs.com,
Idea is not new. Same vulnerabilit was reported for Agnitum Outpost by
Alexander Andrusenko in 2004, http://securityvulns.com/news3687.html
Also, same vulnerabilities were reported and fixed in Sendmail
(CVE-2006-1173).
--Tuesday, December 9, 2008, 1:52:17 AM, you wrote to bugtraq@securityfocus.com:
brlc> == DoS attacks on MIME-capable software via complex MIME emails ==
Background
==========
Postfix is Wietse Venema's mailer that attempts to be fast, easy to
administer, and secure, as an alternative to the widely-used Sendmail
program.
Affected packages
=================
===========
Nikolaos Rangos discovered a vulnerability in ClamAV which exists
because the recipient address extracted from email messages is not
properly sanitized before being used in a call to "popen()" when
executing sendmail (CVE-2007-4560). Also, NULL-pointer dereference
errors exist within the "cli_scanrtf()" function in libclamav/rtf.c and
Stefanos Stamatis discovered a NULL-pointer dereference vulnerability
within the "cli_html_normalise()" function in libclamav/htmlnorm.c
(CVE-2007-4510).
== History of this bug ==
I (re)discovered the bug independently in mid 2007. The bug was however
known before. There are some advisories like secunia.com/advisories/11360/
(for Eudora, bug still unfixed) by people who discovered the problem
before, but did not publicly announce or did not see the scope of it. More
recently, there has been a likewise advisory for sendmail, CVE-2006-1173.
There have been other advisories for different antivirus solutions. This
bug is not 0-day at all, it is really old. If you find older advisories,
which cover this bug, or knew it before, mail me so I can update this
section.
+ A possible cross-site scripting (XSS) vulnerability when filing bugs
using the guided form.
+ When using email_in.pl, insufficiently escaped data may be passed to
sendmail.
+ Users using the WebService interface may access Bugzilla's
time-tracking fields even if they normally cannot see them.
We strongly advise that 2.20.x and 2.22.x users should upgrade to 2.20.5
Background
==========
Postfix is Wietse Venema's mailer that attempts to be fast, easy to
administer, and secure, as an alternative to the widely-used Sendmail
program.
Affected packages
=================
Rating: Minor
Exposure Level Classification:
Remote User Non-deterministic Vulnerability
Updated Versions:
sendmail=conary.rpath.com@rpl:1/8.13.7-0.5-1
sendmail=conary.rpath.com@rpl:2/8.14.2-1.1-1
sendmail-cf=conary.rpath.com@rpl:1/8.13.7-0.5-1
sendmail-cf=conary.rpath.com@rpl:2/8.14.2-1.1-1
rPath Issue Tracking System:
Problem Description:
Multiple vulnerabilities were discovered and corrected in php-pear
(Mail):
Argument injection vulnerability in the sendmail implementation of
the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14
for PEAR allows remote attackers to read and write arbitrary files
via a crafted parameter, a different vector than CVE-2009-4111
(CVE-2009-4023).
Because of the vulnerability described in [1] it is possible to
execute arbitrary shell commands on a system even when all shell
execution functions like shell_exec(), system(), ... are disabled
by the disable_functions directive, but mail() is still allowed.
This attack relies on the fact that the fifth mail() parameter is
used as argument to the sendmail binary and escaped with
escapeshellcmd() internally to ensure that no further shell commands
are appended.
Because PHP scripts can influence the locale of the shell (unless
running in safe_mode) this attack allows bypassing the setting of
--
Magnus Holmgren holmgren@lysator.liu.se
(No Cc of list mail needed, thanks)
"Exim is better at being younger, whereas sendmail is better for
Scrabble (50 point bonus for clearing your rack)" -- Dave Evans
of engine)
- F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass
of engine)
- F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers
(High: complete bypass of engine)
- F-PROT Milter - for example sendmail (High: complete bypass of engine)
- F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete
bypass of engine)
- F-Prot Antivirus for Linux x86 Workstations (unknown)
About this advisory
|
