Note: This is an archival copy of Security Sun Alert 200260 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000204.1.
Article ID : 1000204.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2004-12-02
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability When sendmail(1) Does Not Check Length of DNS Replies

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System

Bug Id
4704672

Date of Resolved Release
08-DEC-2004

Impact

A local or remote unprivileged user may have the ability to gain unauthorized root access or create a Denial of Service (DoS) condition due to a buffer overflow in the sendmail(1M) daemon.

This issue is described in CERT Vulnerability Note VU#814627 at http://www.kb.cert.org/vuls/id/814627.


Contributing Factors

This issue can occur in the following release:

SPARC Platform

  • Solaris 9 without patch 113575-01

Notes:

  1. Solaris 7 and 8 on the SPARC platform are not affected by this issue.
  2. Solaris 7, 8, and 9 on the x86 Platform are not affected by this issue.

The following two conditions must be present to exploit these vulnerabilities:

  • sendmail(1M) must be configured to reference DNS TXT records
  • when sendmail is looking up a TXT record through a DNS server, that lookup would have to go to a DNS server that has been compromised

To determine if a system is configured to reference DNS TXT records, the following command can be run: 

    $ grep TXT /etc/mail/sendmail.cf
Kdnstxt dns -R TXT

If no output was generated after running the above command then the system is not at risk. (The output above is only one example and may vary). Also note that the default sendmail(1M) configuration file does not specify TXT records.

A Denial of Service condition may exist if the sendmail(1M) daemon is no longer running, which can be determined by running the following command: 

    $ /usr/bin/ps -ef | grep sendmail
root 336 1 0 Jan 20 ? 0:03 /usr/lib/sendmail -bd -q15m

Symptoms

There are no reliable symptoms that would indicate the described issue has been exploited to gain unauthorized root access to a host.

A Denial of Service condition is present if the sendmail(1M) daemon is no longer running.


Workaround

Until the appropriate patch can be applied, sites may wish to block access to the affected service from untrusted networks such as the Internet, or disabling the daemon where possible. Use of a firewall or other packet-filtering technology may be necessary to block the appropriate network ports. Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports.

To disable sendmail(1M) the following command can be executed (as "root"): 

    # /etc/init.d/sendmail stop

This will prevent the system from receiving e-mail messages until sendmail(1M) is started again with the following command: 

    # /etc/init.d/sendmail start

Resolution

This issue is addressed in the following release:

SPARC Platform

  • Solaris 9 with patch 113575-01 or later


Modification History

References
 113575-01



                                                                                         


Attachments
This solution has no attachment