We will try and keep these pages up to date
Copyright 1995 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included.
The CERT Coordination Center has received reports of a vulnerability in sendmail version 5. Although this version is several years old, it is still in use. The vulnerability enables intruders to gain unauthorized privileges, including root. We recommend installing all patches from your vendor or moving to the current version of Eric Allman's sendmail (version 8.6.12). The vulnerability is currently present in all versions of IDA sendmail and in some vendors' releases of sendmail. The vendors who have reported to us are listed in Section I.
In sendmail version 5, there is a vulnerability that intruders can exploit to create files, append to existing files, or execute programs. The vulnerability is currently present in all versions of IDA sendmail and in some vendors' releases of sendmail. Many vendors have previously installed upgrades or developed patches to address the problem; some are working on patches now. Here is a summary of vendors who reported to us as of the date of this advisory. More details can be found in the appendix of this advisory. The appendix is reproduced in CA-95:08.README, which we will update as we receive additional information. If you do not see your vendor's name or if you have questions about the version of sendmail at your site, please contact your vendor directly.
Eric Allman sendmail 8.6.10 or later not vul.
Apple Computer, Inc. upgrades to A/UX 3.1 and 3.1.1 not vul.
Berkeley SW. Design BSD/OS 2.0 vulnerable - patch available
BSD/OS 2.0.1 not vulnerable
Cray Research, Inc. not vulnerable
Digital Equipment Corp. not vulnerable if current with patches
Harris Computer Systems not vulnerable
Hewlett-Packard Company not vul. - see HP bulletin #25
IBM Corporation AIX 3.2 not vulnerable with patch
AIX 4.1 not vulnerable
NEC Corporation vulnerable - patches available
NeXT Computer, Inc. vulnerable - patch is planned
Open Software Foundation not vulnerable
The Santa Cruz Operation vulnerable - patches available
Silicon Graphics Inc. not vulnerable if current with patches
Solbourne (Grumman) vulnerable - patch is planned
Sun Microsystems, Inc. Solaris 2.x not vulnerable
Sun OS 4.1.3, 4.1.37u1, & 4.1.4 vul. - patch
available soon
Public domain:
Users of the public domain operating systems Linux (systems using
sendmail rather than smail), NetBSD, and FreeBSD should upgrade to
sendmail 8.6.12.
Local and remote users can create files, append to existing files or run programs on the system. Exploitation can lead to root access.
IDA users: Convert to sendmail 8.6.12.
Other users: Check the vendor information in the appendix of this
advisory.
Ensure that you have kept current with upgrades and
patches from your vendor.
If no patch is currently available, an
alternative is to install sendmail 8.6.12.
Sendmail is available by anonymous FTP from
The checksums are
MD5 (sendmail.8.6.12.base.tar.Z) = 31591dfb0dacbe0a7e06147747a6ccea
MD5 (sendmail.8.6.12.cf.tar.Z) = c60becd7628fad715df8f7e13dcf3cc6
MD5 (sendmail.8.6.12.misc.tar.Z) = 6212390ca0bb4b353e29521f1aab492f
MD5 (sendmail.8.6.12.patch) = 10961687c087ef30920b13185eef41e8
MD5 (sendmail.8.6.12.xdoc.tar.Z) = 8b2252943f365f303b6302b71ef9a841
To restrict sendmail's program mailer facility, obtain and install
the sendmail restricted shell program (smrsh) by Eric Allman (the
original author of sendmail), following the directions included with the
program.
Copies of this program may be obtained via anonymous FTP
from
SD Sum
30114 5 README
25757 2 smrsh.8
46786 5 smrsh.c
System V Sum
56478 10 README
42281 4 smrsh.8
65517 9 smrsh.c
MD5 Checksum
MD5 (README) = fc4cf266288511099e44b664806a5594
MD5 (smrsh.8) = 35aeefba9714f251a3610c7b1714e355
MD5 (smrsh.c) = d4822ce7c273fc8b93c68e39ec67739c
Depending upon the currently installed sendmail program, switching to a different sendmail may require significant effort (such as rewriting the sendmail.cf file.)
The CERT Coordination Center staff thanks the vendors listed in this advisory, along with Karl Strickland and Neil Woods for their support in the development of this advisory.
If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet e-mail: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 Postal address: CERT Coordination Center , Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890, USA. CERT advisories and bulletins are posted on the USENET news group comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. Past CERT publications, information about FIRST representatives, and other information related to computer security are available by anonymous FTP from info.cert.org.
Current as of August 17, 1995 See CA-95.08.README for updated information
Below is information we have received from vendors about the vulnerability in sendmail version 5. If you do not see your vendor's name below, contact the vendor directly for information.
Sendmail 8.6.10 and later are not vulnerable. The current version is 8.6.12. Because the current version addresses vulnerabilities that appear in earlier versions, it is a good idea to use 8.6.12. Sendmail is available by anonymous FTP from ftp://ftp.cs.berkeley.edu/ucb/sendmail ftp://info.cert.org/pub/tools/sendmail/sendmail.8.6.12 ftp://auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail The checksums are MD5 (sendmail.8.6.12.base.tar.Z) = 31591dfb0dacbe0a7e06147747a6ccea MD5 (sendmail.8.6.12.cf.tar.Z) = c60becd7628fad715df8f7e13dcf3cc6 MD5 (sendmail.8.6.12.misc.tar.Z) = 6212390ca0bb4b353e29521f1aab492f MD5 (sendmail.8.6.12.patch) = 10961687c087ef30920b13185eef41e8 MD5 (sendmail.8.6.12.xdoc.tar.Z) = 8b2252943f365f303b6302b71ef9a841
Eric Allman
Sendmail 8.6.10 and later are not vulnerable. The current version is 8.6.12.
Because the current version addresses vulnerabilities that appear in earlier
versions, it is a good idea to use 8.6.12.
Sendmail is available by anonymous FTP from
ftp://ftp.cs.berkeley.edu/ucb/sendmail
ftp://info.cert.org/pub/tools/sendmail/sendmail.8.6.12
ftp://auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail
The checksums are
MD5 (sendmail.8.6.12.base.tar.Z) = 31591dfb0dacbe0a7e06147747a6ccea
MD5 (sendmail.8.6.12.cf.tar.Z) = c60becd7628fad715df8f7e13dcf3cc6
MD5 (sendmail.8.6.12.misc.tar.Z) = 6212390ca0bb4b353e29521f1aab492f
MD5 (sendmail.8.6.12.patch) = 10961687c087ef30920b13185eef41e8
MD5 (sendmail.8.6.12.xdoc.tar.Z) = 8b2252943f365f303b6302b71ef9a841
[The following information also appeared in CERT advisory
CA-95:05, "Sendmail Vulnerabilities."]
An upgrade to A/UX version 3.1 (and 3.1.1) for these vulnerabilities is
available. The upgrade replaces the sendmail binary with the 8.6.10
version. It is available via anonymous FTP from ftp.support.apple.:
pub/apple_sw_updates/US/Unix/A_UX/supported/3.x/sendmail/
It is also available via anonymous FTP from abs.apple.com:
pub/abs/aws95/patches/sendmail/
In both cases the compressed binary has the following signature:
MD5 (sendmail.Z) = 31bb15604517630f46d7444a6cfab3f1
Uncompress(1) this file and replace the existing version in /usr/lib;
be sure to preserve the hard links to /usr/ucb/newaliases and
/usr/ucb/mailq, kill the running sendmail and restart.
Earlier versions of A/UX are not supported by this patch. Users of
previous versions are encouraged to update their system or compile
the latest version of sendmail available from ftp.cs.berkeley.edu.
Customers should contact their reseller for any additional information.
BSD/OS V2.0.1 is not vulnerable.
BSD/OS V2.0 users should install patch U200-011, available from
ftp.bsdi.com in bsdi/patches/U200-011.
BSDI Support contact information:
Phone: +1 719 536 9346
EMail: support@bsdi.com
not vulnerable
A patch for SENDMAIL (ULTSENDMAIL_EO1044 & OSFSENDMAIL_E01032) has been available for some time, so if you have kept current with patches you are not vulnerable to this particular reported problem. If you have not applied the kits above, Digital Equipment Corporation strongly urges customers to upgrade to the latest versions of ULTRIX V4.4 or DIGITAL DEC OSF/1 V3.2, then apply the appropriate sendmail solution kit. The above kits can be obtained through your normal Digital support channels or by access (kit) request via DSNlink, DSIN, or DIA.
GSSC now performs all Solbourne software and hardware support. We recommend running sendmail 8.6.10 (or later revision.) 8.6.12 has proven reliable in production use on Solbourne systems. We plan to release the Solbourne version of the Sun patch when it becomes available.
ftp: ftp.nts.gssc.com
phone: 1-800-447-2861
email: support@nts.gssc.com
not vulnerable
Hewlett-Packard issued security bulletin #25 on April 2, 1995 announcing
patches and describing a fix. The patches are
PHNE_5402 (series 700/800, HP-UX 9.x), or
PHNE_5401 (series 700/800, HP-UX 8.x), or
PHNE_5384 (series 300/400, HP-UX 9.x), or
PHNE_5383 (series 300/400, HP-UX 8.x), or
PHNE_5387 (series 700, HP-UX 9.09), or
PHNE_5388 (series 700, HP-UX 9.09+), or
PHNE_5389 (series 800, HP-UX 9.08)
The bulletin is available from the HP SupportLine and from http://www.hp.com
in the HPSL category and from http://support.mayfield.hp.com.
Patches may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP
SupportLine. To obtain HP security patches, you must first register with the
HP SupportLine. The registration instructions are available via anonymous FTP
at info.cert.org in the file "pub/vendors/hp/supportline_and_patch_retrieval".
HP SupportLine: 1-415-691-3888
phone: 1-415-691-3680
telnet/ftp: support.mayfield.hp.com
WWW: http://www.hp.com
http://support.mayfield.hp.com.
A patch (ptf U425863) has been available for AIX 3.2 for some time.
To determine if you have this ptf on your system, run the following command:
% lslpp -lB U425863
If you have not already applied the patch, you can order it from IBM as APAR
ix40304 To order APARs from IBM in the U.S., call 1-800-237-5511. To obtain
APARs outside of the U.S., contact your local IBM representative.
OS Version Status
------------------ ------------ ------------------------------
EWS-UX/V(Rel4.0) R1.x - R6.x vulnerable
EWS-UX/V(Rel4.2) R7.x - R10.x vulnerable
patch available
EWS-UX/V(Rel4.2MP) R10.x vulnerable
patch available
UP-UX/V R1.x - R4.x vulnerable
UP-UX/V(Rel4.2MP) R5.x - R7.2 vulnerable
patch available except for R5.x
UX/4800 R11.x not vulnerable
Contacts for further information:
e-mail:UXcert-CT@d2.bsd.nes.nec.co.jp
The sendmail executables included with all versions of NEXTSTEP up to and including release 3.3 are vulnerable to this problem. The SendmailPatch previously released for NEXTSTEP 3.1 and 3.2 is also vulnerable. An updated patch is planned which will address this vulnerability. The availability of this patch will be indicated in the NeXTanswers section of http://www.next.com/. For further information you may contact NeXT's Technical Support Hotline at (+1-800-955-NeXT) or via email to ask_next@NeXT.com.
not vulnerable
Support Level Supplement (SLS) net382e, contains a patched version of
sendmail for the following releases:
SCO TCP/IP Runtime System Release 1.2.1
SCO Open Desktop Lite Release 3.0
SCO Open Desktop Release 3.0
SCO Open Server Network System Release 3.0
SCO Open Server Enterprise System Release 3.0
SCO OpenServer 5 contains Sendmail version 8.6.8, and contains fixes
to all problems reported in this and previous sendmail advisories.
Users of previous releases should consider updating.
NOTE: The MMDF (M)ulti-Channel (M)emorandum (D)istribution
(F)acility is the default mail system on SCO systems. The MMDF mail
system is not affected by any of the problems mentioned in these
advisories. Administrators who wish to use sendmail must specifically
configure the system to do so during or after installation.
To acquire SLS net382e:
Anonymous ftp on the Internet:
==============================
ftp://ftp.sco.COM/SLS/net382e.Z (disk image)
ftp://ftp.sco.COM/SLS/net382e.ltr.Z (documentation)
Anonymous uucp:
===============
United States:
--------------
sosco!/usr/spool/uucppublic/SLS/net382e.Z (disk image)
sosco!/usr/spool/uucppublic/SLS/net382e.ltr.Z (documentation)
United Kingdom:
---------------
scolon!/usr/spool/uucppublic/SLS/net382e.Z (disk image)
scolon!/usr/spool/uucppublic/SLS/net382e.ltr.Z (documentation)
The telephone numbers and login names for the machines sosco and scolon
are provided with the default /usr/lib/uucp/Systems file shipped with
every SCO system.
The checksums for the files listed above are as follows:
file sum -r md5
=========================== ================================
net382e.Z: 29715 1813 41efeaaa855e4716ed70c12018014092
net382e.ltr.Z 52213 14 287ba6131519cba351bc58cb32880fda
The Support Level Supplement is also available on floppy media from SCO
Support at the following telephone numbers:
USA/Canada: 6am-5pm Pacific Daylight Time (PDT)
-----------
1-408-425-4726 (voice)
1-408-427-5443 (fax)
Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific
------------------------------------------------ Daylight Time
(PDT)
1-408-425-4726 (voice)
1-408-427-5443 (fax)
Europe, Middle East, Africa: 9am-5:00pm Greenwich Mean Time (GMT)
----------------------------
+44 1923 816344 (voice)
+44 1923 817781 (fax)
For further information, contact SCO at one of the above numbers,
send electronic mail to support@sco.COM, or see the SCO Web Page at:
http://www.sco.COM.
On February 22, 1995, Silicon Graphics issued security advisory 19950201
addressing sendmail issues being raised at the time and previous older
version sendmail issues. Patches are still available and as part of these
patches, sendmail version 8.6.12 is provided as standard. At the time
of this writing here is the patch information.
**** IRIX 3.x ****
Unfortunately, Silicon Graphics Inc, no longer supports the IRIX 3.x
operating system and therefore has no patches or binaries to provide.
However, two possible actions still remain: 1) upgrade the system to a
supported version of IRIX (see below) and then install the binary/patch
or 2) obtain the sendmail source code from anonymous FTP at
ftp.cs.berkeley.edu and compile the program manually.
**** IRIX 4.x ****
For the IRIX operating system version 4.x, a manually installable
binary replacement has been generated and made available via anonymous
ftp and/or your service/support provider. The binary is sendmail.new.Z
and is installable on all 4.x platforms.
The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1). The
binary maybe be found in the following directories on the ftp server:
~ftp/Security
or
~ftp/Patches/4.x
##### Checksums ####
Filename: sendmail.new.Z
Algorithm #1 (sum -r): 27178 422 sendmail.new.Z
Algorithm #2 (sum): 46012 422 sendmail.new.Z
MD5 checksum: 146DD1019673D7C2C89A78D7ACF85CF6
After obtaining the binary, it may be installed with the instructions
below:
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Stop the current mail processes.
# /etc/init.d/mail stop
3) Rename the current sendmail binary to a temporary
name.
# mv /usr/lib/sendmail /usr/lib/sendmail.stock
4) Change permissions on the old sendmail binary so it can not
be used anymore.
# chmod 0400 /usr/lib/sendmail.stock
5) Uncompress the binary.
# uncompress /tmp/sendmail.new.Z
6) Put the new sendmail binary into place (in the example
here the binary was retrieved via anonymous ftp and put
in /tmp)
# mv /tmp/sendmail.new /usr/lib/sendmail
7) Insure the correct permissions and ownership on the new
sendmail.
# chown root.sys /usr/lib/sendmail
# chmod 4755 /usr/lib/sendmail
8) Restart the mail system with the new sendmail binary in place.
# /etc/init.d/mail start
9) Return to normal user level.
# exit
**** IRIX 5.0.x, 5.1.x ****
For the IRIX operating systems versions 5.0.x, 5.1.x, an upgrade
to 5.2 or better is required first. When the upgrade is completed,
then the patch described in the next section "**** IRIX 5.2, 5.3, 6.0,
6.0.1 ***" can be applied.
**** IRIX 5.2, 5.3, 6.0, 6.0.1 ****
For the IRIX operating system versions 5.2, 5.3, 6.0 and 6.0.1, an
inst-able patch has been generated and made available via anonymous
ftp and/or your service/support provider. The patch is number 332
and will install on IRIX 5.2, 5.3, 6.0 and 6.0.1 .
The SGI anonymous ftp site is ftp.sgi.com(192.48.153.1). Patch
332 can be found in the following directories on the ftp server:
~ftp/Security
or
~ftp/Patches/5.2
~ftp/Patches/5.3
~ftp/Patches/6.0
~ftp/Patches/6.0.1
For obtaining security information, patches or assistance, please
contact your SGI support provider.
If there are questions about this patch information, email can be
sent to cse-security-alert@csd.sgi.com .
For reporting new SGI security issues, email can be sent to
security-alert@sgi.com .
see Grumman Systems Support Corporation
Solaris 2.x is not vulnerable. Sun OS 4.1.3, 4.1.37u1, and 4.1.4 are vulnerable, and a patch will be available soon. This patch can be obtained from local Sun Answer Centers and through anonymous FTP from ftp.uu.net in the /systems/sun/sun-dist directory. In Europe, the patch is available from mcsun.eu.net (192.16.202.1) in the /sun/fixes directory.
Thanks for visiting DataSure's CERT Advisory Pages. As the pages are developed further we hope to provide more, so please bear with us during the ongoing development process.
For more information on DataSure Services's products and services, please send e-mail to mackinnn@datasure.com phone us at ( 604) 598-6831, 1-800-598-6831, or FAX your request to (604) 598-6841. If you have problems or comments concerning our WWW service, please send e-mail to the above address.
This page has been accessed times.
Victoria, B.C. local time is Friday, 18-May-2012 12:30:30 PDT
This page last modified Thursday, 15-Nov-2001 17:09:20 PST
This page, and all contents, are Copyright (C) 1996 by DataSure Services , Victoria, Canada.