Bug Id
4840065, 16429

Date of Workaround Release
01-APR-2003

Date of Resolved Release
27-JUN-2003

Impact

A local or remote unprivileged user may be able to gain unauthorized root access or cause a denial of service due to a buffer overflow in the sendmail(1M) daemon.

Note this is a separate, further issue to the sendmail issue described by Sun Alert: 51400, CERT Vulnerability, CA-2003-07.

This issue is also described in CERT Vulnerability VU #897604 (see http://www.kb.cert.org/vuls/id/897604) which is referenced in CERT Advisory CA-2003-12 (see http://www.cert.org/advisories/CA-2003-12.html).

Please note that:

• The Sun Cobalt RaQ 550 is not vulnerable to the buffer overflow, but is vulnerable to a denial of service originating from the same issue.
• The Qube 3 which has the Security Hardening Patch, is not vulnerable to the buffer overflow, but is vulnerable to the denial of service. This originates from the fact that sendmail can still be crashed, even though it can not be exploited for root compromise.

For more information see:

• http://www.cert.org/advisories/CA-2003-12.html

Contributing Factors

This issue can occur in the following releases:

Sun Linux

• Sun Linux 5.0 (LX50) with sendmail-8.11.6-3

Note: Sun Linux 5.0 is currently shipped with the Sun LX50 Server.

Cobalt

• Sun Cobalt RaQ 4 (3001R) with sendmail-8.10.2-C1
• Sun Cobalt RaQ XTR (3500R) with sendmail-8.10.2-C1
• Sun Cobalt Qube 3 (4000WG) with sendmail-8.10.2-C1
• Sun Cobalt RaQ 550 (4100R) with sendmail-8.11.6-1C3stackguard

Note: By default, all systems are potentially vulnerable to this issue. Systems are vulnerable if they have a sendmail daemon running. This can be confirmed by the following command:

	$ /bin/ps xa | grep sendmail
	2223 ? S 0:00 sendmail: accepting connections

Symptoms

There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access to a system.

There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access to a host. The denial of service symptom would show that sendmail is no longer running.

If the sendmail(1M) daemon is no longer running the system may have encountered the described issue. The following command can be executed to check if the sendmail(1M) daemon is running on the system:

	$ /bin/ps xa | grep sendmail
	2223 ? S 0:00 sendmail: accepting connections

Workaround

Until patches can be applied, sites may wish to block access to the affected service from untrusted networks such as the Internet or disable the daemon where possible. Use a firewall or other packet-filtering technology to block the appropriate network ports. Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports. To disable sendmail(1M) the following commands can be executed as root:

	# /etc/init.d/sendmail stop

Note: This will prevent e-mail messages from being able to be received on the system until sendmail(1M) is started again with the command:

	# /etc/init.d/sendmail start

Resolution

This issue is addressed in the following releases:

Sun Linux

• Sun Linux 5.0 (LX50) with all of the following packages
  • sendmail-8.11.6-25.72.i386.rpm or later
  • sendmail-cf-8.11.6-25.72.i386.rpm or later
  • sendmail-devel-8.11.6-25.72.i386.rpm or later
  • sendmail-doc-8.11.6-25.72.i386.rpm or later
  • sendmail-8.11.6-25.72.src.rpm or later

The above packages are available at http://sunsolve.sun.com/patches/linux/security.html.

Cobalt

• Sun Cobalt RaQ 4 (3001R) with RaQ4-All-Security-2.0.1-16429.pkg or later
• Sun Cobalt RaQ XTR (3500R) with RaQXTR-All-Security-1.0.1-16429.pkg or later
• Sun Cobalt Qube 3 (4000WG) with Qube3-All-Security-4.0.1-16429.pkg or later
• Sun Cobalt RaQ 550 (4100R) with RaQ550-All-Security-0.0.1-16429.pkg or later

The above packages are available at http://sunsolve.sun.com/patches/cobalt/.

Modification History
Date: 27-JUN-2003

• All patches are available.
• State: Resolved

Product
Sun Linux 5.0

























Attachments

This solution has no attachment