Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciace007.txt

Unix Sendmail Update




             _____________________________________________________
                         The U.S. Department of Energy
                     Computer Incident Advisory Capability
                             ___  __ __    _     ___
                            /       |     / \   /
                            \___  __|__  /___\  \___
             _____________________________________________________

                              INFORMATION BULLETIN

                      UNIX sendmail Vulnerabilities Update

January 7, 1994 0900 PST                                           Number E-07
______________________________________________________________________________
PROBLEM:   Vulnerabilities in the UNIX sendmail utility.
PLATFORM:  All implementations of UNIX sendmail.
DAMAGE:    Local and remote users may execute commands and/or gain access to 
           system files.
SOLUTION:  Apply workarounds or install patched version of sendmail on ALL
           systems running sendmail.
______________________________________________________________________________

           Critical Information about UNIX sendmail Vulnerabilities


This advisory updates the sendmail information contained in CIAC Advisory
E-03.

CIAC has learned of several vendor security patches addressing the
vulnerabilities in the UNIX utility sendmail described in CIAC Advisory E-03.
These vulnerabilities include the ability of local and remote users to execute
commands and write to system files on systems running sendmail, including
those systems behind firewalls.

CIAC Advisory E-03 described a set of workarounds to be used in the absence of
vendor patches.  These may still be safely used even after vendor patches have
been installed.

The CERT Coordination Center is maintaining a list of vendor information on
available security patches for sendmail.  It is available via anonymous FTP
from info.cert.org (IP 192.88.209.5) in /pub/cert_advisories/CA-93:16a.README.
A brief summary is provided below, and the current version of this file is
appended at the end of this bulletin.

   Vendor                          Patch Status
   -----------------------------   --------------
   sendmail 8.6.4                  Available
   IDA sendmail                    Available
   BSDI                            Available
   Data General Corporation        Available
   Digital Equipment Corporation   Available
   Hewlett-Packard Company         Available
   IBM                             Available
   NeXT, Inc.                      Available soon
   The Santa Cruz Operation        Available soon
   Sequent Computer Systems        Available
   Solbourne                       Available
   Sony Corporation                Available
   Sun Microsystems, Inc.          Available

______________________________________________________________________________

CIAC wishes to thank the CERT Coordination Center and the vendor community for
their response to this problem.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   (510) 422-8193
    FAX:     (510) 423-8002
    STU-III: (510) 423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California.  The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
______________________________________________________________________________

CA-93:16a.README
Rev. January 7, 1994

This file is a supplement to the CERT Advisory CA-93:16a of January 7, 1994,
and will be updated as additional information becomes available.

The following is vendor-supplied information.  Please notice that
some entries provide pointers to vendor advisories. For more up-to-date 
information, contact your vendor. 

-------------
Eric Allman, 8.6.4

        Version 8.6.4 is available for anonymous FTP from ftp.cs.berkeley.edu
        in the "ucb/sendmail" directory.

                      Standard Unix Sum
        sendmail.8.6.4.base.tar.Z:       07718 428

                        System V Sum
        64609 856 sendmail.8.6.4.base.tar.Z

                        MD5 Checksum
        MD5 (sendmail.8.6.4.base.tar.Z) = 59727f2f99b0e47a74d804f7ff654621

-------------

Paul Pomes, IDA:

        A new release is available for anonymous FTP from vixen.cso.uiuc.edu
        as "pub/sendmail-5.67b+IDA-1.5.tar.gz".

                     Standard Unix Sum
        sendmail-5.67b+IDA-1.5.tar.gz:  17272 1341

                        System V Sum
        30425 2682 sendmail-5.67b+IDA-1.5.tar.gz

                        MD5 Checksum
        MD5 (sendmail-5.67b+IDA-1.5.tar.gz) = a9b8e17fd6d3e52739d2195cead94300

-------------

BSDI

        BSDI can supply either an easy-to-install port of the smrsh patch from
        CERT or a port of sendmail-8.6.4 (contact BSDI Customer Support for
        information in obtaining either of these solutions).  In future
        releases, BSDI will ship the newer sendmail that is not affected
        by these problems.  Releases affected by this advisory: BSD/386 V1.0.

        BSDI Contact Information:
                BSDI Customer Support
                Berkeley Software Design, Inc.
                7759 Delmonico Drive
                Colorado Springs, CO 80919
                Toll Free: +1 800 ITS BSD8 (+1 800 486 2738)
                Phone: +1 719 260 8114
                Fax: +1 719 598 4238
                Email: support@bsdi.com

-------------

Data General Corporation

        Patches are available from dg-rtp.rtp.dg.com (128.222.1.2) in
        the directory "deliver/sendmail":

        Rev              Patch Number            Sys V Checksum
        ------------    ------------------      --------
        5.4.2           tcpip_5.4.2.p14         39298 512
        MD5 (tcpip_5.4.2.p14) = c80428e3b791d4e40ebe703ba5bd249c

        5.4R2.01        tcpip_5.4R2.01.p12      65430 512
        MD5 (tcpip_5.4R2.01.p12) = 9c84cfdb4d79ee22224eeb713a414996

        5.4R2.10        tcpip_5.4R2.10.p05      42625 512
        MD5 (tcpip_5.4R2.10.p05) = 2d74586ff22e649354cc6a02f390a4be

        These patches are loadable via the "syadm" utility and installation
        instructions are included in the patch notes.

        Trusted versions of DG/UX will use the same patches as
        their base version of DG/UX.  

        Customers with any questions about these patches should contact
        their local SEs or Sales Representatives.

-------------

Digital Equipment Corporation

        Systems affected: ULTRIX Versions 4.3 (VAX), ULTRIX V4.3 & V4.3A (RISC),
        DEC OSF/1 V1.2 & V1.3, using sendmail.  The following patches are 
        available from your normal Digital support channel:

        ULTRIX V4.3 (VAX), V4.3 (RISC) or V4.3a (RISC):  CSCPAT #: CSCPAT_4044
                                 OSF/1  V1.2 and  V1.3:  CSCPAT #: CSCPAT_4045

        *These fixes will be included in future releases of ULTRIX and DEC OSF/1

        Digital Equipment Corporation strongly urges Customers to upgrade
        to a minimum of ULTRIX V4.3 or DEC OSF/1 V1.2, then apply the
        Security kit to prevent this potential vulnerability.

        The full text of Digital's advisory can be found in 
        /pub/vendors/dec/advisories/sendmail on info.cert.org.

-------------

Hewlett-Packard Company

        For HP/UX, the following patches are available:

                PHNE_3369 (series 300/400, HP-UX 8.x), or
                PHNE_3370 (series 300/400, HP-UX 9.x), or
                PHNE_3371 (series 700/800, HP-UX 8.x), or
                PHNE_3372 (series 700/800, HP-UX 9.x), or
                modify the sendmail configuration file (releases of HP-UX
                prior to 8.0)

        These patches may be obtained from HP via FTP (this is NOT
        anonymous FTP) or the HP SupportLine.  To obtain HP security
        patches, you must first register with the HP SupportLine.
        The registration instructions are available via
        anonymous FTP at info.cert.org in the file
        "pub/vendors/hp/supportline_and_patch_retrieval".

        The full text of Hewlett-Packard's advisory can be found in
        /pub/vendors/hp/advisories/sendmail on info.cert.org.

-------------

IBM

        Patches for these problems can be ordered as APAR# ix40304 and
        APAR# ix41354.  Ix40304 is available now and ix41354 will be
        sent as soon as it is available.

-------------

NeXT, Inc.

        NeXT expects to have patches available soon.

-------------

The Santa Cruz Operation

        Support level Supplement (SLS) net379A, will soon be available
        for the following platforms:

        SCO TCP/IP Release 1.2.0 for SCO UNIX or SCO XENIX
        SCO TCP/IP Release 1.2.1 for SCO UNIX
        SCO Open Desktop Release 2.0, 3.0
        SCO Open Desktop Lite Release 3.0
        SCO Open Server Network System, Release 3.0
        SCO Open Server Enterprise System, Release 3.0

        This SLS is currently orderable from SCO Support for all customers
        who have one of the above products registered. It will be available
        in the near future.  Systems using MMDF as their mail system do
        not need this SLS.

-------------

Sequent Computer Systems

        Versions 3.0.17 and greater of Dynix are vulnerable
        as are versions 2.2 and 2.3 of the TCP package for PTX.

        Sequent customers should call the Sequent Hotline at
        (800) 854-9969 and ask for the Sendmail Maintenance Release Tape.
        Alternatively, ptx customers can upgrade to PTX/TCP/IP 
        version 2.2.3 or 2.3.1 as appropriate.

-------------

Solbourne 

        Patch p93122301 is available from Solboune to fix the sendmail
        problems.  This patch is equivalent to Sun patch 100377-08.
        Customers may retrieve it via anonymous FTP from 
        solbourne.solbourne.com in the pub/support/OS4.1B directory:

        Filename         BSD         SVR4
                         Checksum    Checksum
        ---------------  ---------   ---------
        p93122301.tar.Z  63749 211   53951 421
        MD5 (p93122301.tar.Z) = f7300f3ecfbbbfaa11a6695f42f14615

        It is also available by sending email to solis@solbourne.com
        and specifying "get patches/4.1b p93122301" in the body of the
        mail message.

        Earlier versions (4.1A.*) are no longer supported. The 4.1B
        patch may well work on 4.1A.* systems but this has not been tested.
        If you have any questions please call the SOURCE at 1-800-447-2861 or
        send email to support@solbourne.com.

        The full text of Solbourne's advisory can be found in
        /pub/vendors/solbourne/advisories/sendmail on info.cert.org.

---------------

Sony Corporation

        These vulnerabilities have been fixed in NEWS-OS 6.0.1.
        A patch is available for NEWS-OS 4.x.  Customers should
        contact their dealers for any additional information.

---------------

Sun Microsystems, Inc.

        Sun has made patches for sendmail available as described in
        their SUN MICROSYSTEMS SECURITY BULLETIN: #00125, 12/23/93.
        These patches can be found in the 
        /systems/sun/sun-dist directory on ftp.uu.net:

        System       Patch ID    Filename        BSD         SVR4
                                                 Checksum    Checksum
        ------       --------   ---------------  ---------   ---------
        SunOS 4.1.x  100377-08  100377-08.tar.Z  05320 755   58761 1510
        Solaris 2.1  100840-06  100840-06.tar.Z  59489 195   61100 390
        Solaris 2.2  101077-06  101077-06.tar.Z  63001 179   28185 358
        Solaris 2.3  101371-03  101371-03.tar.Z  27539 189   51272 377

        MD5 checksums are:
        MD5 (100377-08.tar.Z) = 8e8a14c0a46b6c707d283cacd85da4f1
        MD5 (100840-06.tar.Z) = 7d8d2c7ec983a58b4c6a608bf1ff53ec
        MD5 (101077-06.tar.Z) = 78e165dec0b8260ca6a5d5d9bdc366b8
        MD5 (101371-03.tar.Z) = 687d0f3287197dee35941b9163812b56

        A patch for x86 based systems will be forthcoming as patch 101352-02.

        4.1 sites installing these patches may require sites to modify
        their configuration files slightly.  Full details are given in
        the Sun advisory.

        The full text of Sun Microsystems's advisory can be found in
        /pub/vendors/sun/advisories/sendmail on info.cert.org.

-------------



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH