Rapid7 Vulnerability & Exploit Database

RHSA-2003:227: Updated sendmail packages fix vulnerabilities

Back to Search

RHSA-2003:227: Updated sendmail packages fix vulnerabilities

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
04/02/2003
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated Sendmail packages are available for Red Hat Linux on IBM iSeries and pSeries systems to fix a vulnerability that allows local and possibly remote attackers to gain root privileges as well as a vulnerability that may allow remote attackers to gain root privileges by sending a carefully crafted message. These packages additionally fix a security bug if sendmail is configured to use smrsh.

Sendmail is a widely used Mail Transport Agent (MTA). A vulnerability exists in unpatched Sendmail versions prior to and including 8.12.8. The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. This issue is probably locally exploitable and may also be remotely exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0161 to this issue. During a code audit of Sendmail by ISS, a critical vulnerability was uncovered that affects unpatched versions of Sendmail prior to version 8.12.8. A remote attacker can send a carefully crafted email message which, when processed by Sendmail, causes arbitrary code to be executed as root. A proof-of-concept exploit is reported to exist, but is not believed to be publicly available. Since this vulnerability is message-based, MTAs other than Sendmail may pass on the carefully crafted message. This means that unpatched versions of Sendmail inside a network could still be at risk even if they do not accept external connections directly. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1337 to this issue. In addition, the restricted shell (SMRSH) in Sendmail allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after "||" sequences or "/" characters, which are not properly filtered or verified. A successful attack would allow an attacker who has a local account on a system which has explicitly enabled smrsh to execute arbitrary binaries as themselves by utilizing their .forward file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1165 to this issue. All users are advised to update to these erratum packages containing backported patches which correct these vulnerabilities.

Solution(s)

  • redhat-upgrade-sendmail
  • redhat-upgrade-sendmail-cf
  • redhat-upgrade-sendmail-devel
  • redhat-upgrade-sendmail-doc

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;