Skip the navigation

Major Internet vulnerability discovered in e-mail protocol

By Dan Verton
March 3, 2003 12:00 PM ET

Computerworld - The Department of Homeland Security (DHS) has been working in secret for more than two weeks with the private sector to fix a major Internet vulnerability that could have had disastrous consequences for millions of businesses and the U.S. military.
Since early December, the DHS and the White House Office of Cyberspace Security have been working with Atlanta-based Internet Security Systems Inc. (ISS) to alert IT vendors and the business community about a major buffer-overflow vulnerability in the sendmail mail-transfer agent (MTA).
Sendmail is the most common MTA and handles 50% to 75% of all Internet e-mail traffic. Versions of the software, from 5.79 to 8.12.7, are vulnerable, according to an ISS alert issued publicly today.
According to sources familiar with the investigation, ISS discovered the vulnerability on Dec. 1. It contacted the homeland security officials on Dec. 5, who began alerting IT vendors that distribute sendmail, including Sun Microsystems Inc., IBM, Hewlett-Packard Co. and Silicon Graphics Inc., as well as the Sendmail Consortium, the organization that develops the open-source version of sendmail that is distributed with both free and commercial operating systems. Those vendors were told of the flaw on Jan. 13. The seriousness of the vulnerability, coupled with the fact that the hacker community wasn't yet aware of it, led the government and ISS to decide it was better to keep the news under wraps until patches could be developed.
The Sendmail Consortium is urging all users to upgrade to Sendmail 8.12.8 or apply a patch for 8.12.x or for older versions. Updates can be downloaded from or any of its mirrors, or from the Sendmail Consortium's Web site. The consortium said patch users should remember to check the Pretty Good Privacy signatures of any patches or releases obtained. It also suggested that users running the open-source version of sendmail check with their vendors for a patch.
Emeryville, Calif.-based Sendmail Inc., the commercial provider of the sendmail MTA, is providing a binary patch for its commercial customers that can be downloaded from its Web site at:
"The Remote Sendmail Header Processing Vulnerability allows local and remote users to gain almost complete control of a vulnerable Sendmail server," according to an alert prepared today by the DHS. "Attackers gain the ability to execute privileged commands using super-user (root) access/control. This vulnerability can be exploited through a simple e-mail message containing malicious code.
"System administrators should be aware that many Sendmail servers are not typically shielded by perimeter defense applications" such as firewalls, warned the DHS alert, which hadn't yet been made publicly available as of midafternoon. "A successful attacker could install malicious code, run destructive programs and modify or delete files."
In addition, attackers could gain access to other systems through a compromised sendmail server, depending on local configurations, according to the DHS warning.
According to ISS, the sendmail remote vulnerability occurs when processing and evaluating header fields in e-mail collected during a Simple Mail Transfer Protocol transaction. Specifically, when fields are encountered that contain addresses or lists of addresses (such as the "From" field, "To" field and "CC" field), sendmail attempts to semantically evaluate whether the supplied address or list of addresses is valid. This is accomplished using the crackaddr() function, which is located in the headers.c file in the sendmail source tree.
A static buffer is used to store data that has been processed. Sendmail detects when this buffer becomes full and stops adding characters, although it continues processing. Sendmail implements several security checks to ensure that characters are parsed correctly. One such security check is flawed, making it possible for a remote attacker to send an e-mail with a specially crafted address field that triggers a buffer overflow.
"Sendmail's vulnerability offers a legitimate test [of the new DHS and its ability to work with the private sector] because sendmail handles a large amount of Internet mail traffic and is installed on at least 1.5 million Internet-connected systems," said an alert from the SANS Institute in Bethesda, Md., that was obtained by Computerworld today. "More than half of the large ISPs and Fortune 500 companies use sendmail, as do tens of thousands of other organizations. A security hole in sendmail affects a lot of people and demands their immediate attention."
Of particular concern to the White House was the potential vulnerability of the U.S. military, which is poised to begin offensive military operations in Iraq and is simultaneously facing the possibility of conflict on the Korean peninsula. As a result, early versions of available patches were distributed first to U.S. military organizations on Feb. 25 and 26, according to the SANS alert. The advance military alert was followed last Thursday and Friday with alerts to various government organizations in the U.S. and around the world, including the Information Sharing and Analysis Centers (ISAC).
"Some of the large commercial vendors developed patches very quickly. But the delayed notice to smaller sources of sendmail distributions and limited resources at those organizations meant that not all the patches would be ready by early in the week of February 23," according to the SANS analysis of the public/private response effort.
A senior-level coordination group of government and private-sector experts then decided, based on a review of cyberintelligence from various hacker discussion boards and a series of sensors deployed around the world by ISS, that it was safe to wait until all the patches were available before alerting the general business and Internet community to the vulnerability.
Beginning today at 10 a.m. EST, alerts began flowing from the Federal Computer Incident Response Center to federal agencies and from the ISACs to companies responsible for critical infrastructure. At noon EST today, ISS released its own advisory, followed by a general alert from the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

Our Commenting Policies