Mar 31, 2003 : Sendmail Overflow Compromises Security
📅 - According to reports released Saturday by the CERT Institute at Carnegie Mellon University (cert.org), a new patch has been released for the popular Sendmail email server software, correcting a vulnerability that could allow a remote attacker to gain control over a Sendmail server.
A specially crafted email, says the report, could trigger a stack overflow in the software, and could allow an attacker to create a denial of service attack, enabling them to execute code at root level.
"Most organizations have a variety of mail transfer agents (MTAs) at various locations within their network," said the report, "with at least one exposed to the Internet. Since sendmail is the most popular MTA, most medium-sized to large organizations are likely to have at least one vulnerable sendmail server. In addition, many UNIX and Linux workstations provide a sendmail implementation that is enabled and running by default."
The vulnerability, says CERT, affects all versions of Sendmail Pro; Sendmail Switch 2.1 prior to 2.1.6; Sendmail Switch 2.2 prior to 2.2.6; Sendmail Switch 3.0 prior to 3.0.4; Sendmail for NT 2.x prior to 2.6.3; Sendmail for NT 3.0 prior to 3.0.4; and Systems running open-source sendmail versions prior to 8.12.9, including UNIX and Linux systems.
CERT encouraged administrators to install the patch, available from the Sendmail Web site.
A specially crafted email, says the report, could trigger a stack overflow in the software, and could allow an attacker to create a denial of service attack, enabling them to execute code at root level.
"Most organizations have a variety of mail transfer agents (MTAs) at various locations within their network," said the report, "with at least one exposed to the Internet. Since sendmail is the most popular MTA, most medium-sized to large organizations are likely to have at least one vulnerable sendmail server. In addition, many UNIX and Linux workstations provide a sendmail implementation that is enabled and running by default."
The vulnerability, says CERT, affects all versions of Sendmail Pro; Sendmail Switch 2.1 prior to 2.1.6; Sendmail Switch 2.2 prior to 2.2.6; Sendmail Switch 3.0 prior to 3.0.4; Sendmail for NT 2.x prior to 2.6.3; Sendmail for NT 3.0 prior to 3.0.4; and Systems running open-source sendmail versions prior to 8.12.9, including UNIX and Linux systems.
CERT encouraged administrators to install the patch, available from the Sendmail Web site.
Reads: 1957 | Category: General | Source: TheWHIR : Web Host Industry Reviews
URL source: http://www.thewhir.com/marketwatch/sen033103.cfm
Want to add a website news or press release ? Just do it, it's free! Use add web hosting news!