NYCPHP Meetup

[nycphp-talk] Bulletin Major Internet vulnerability discovered in e-mail protocol

Kenneth Dombrowski kenneth at ylayali.net
Tue Mar 4 10:53:37 EST 2003


Hans Zaunere wrote:
> --- Chris Shiflett <shiflett at php.net> wrote:
> 
>>You have to love headlines like that:
>>
>>"Major Internet vulnerability discovered in e-mail protocol"
>>
>>So, are we to assume that a vulnerability was found in the Internet
>>(whatever that means)? Or, are we supposed to assume the vulnerability is
>>in IMAP, SMTP, or POP?
> 
> 
> Come on!
> 
> "Cyberspace is at risk once again as a horrible bug is eating it's way
> through the Internet fabric, threatning millions of users and costing
> billions of dollars."
> 
> Or at least that's how Dan Rather would put it :)
> 
> 
>>This article is just talking about the sendmail vulnerability, if you can
>>manage to read through the sensationalist BS. :-) It is definitely worth
>>attention, however, and my systems are already patched.
> 
> 
> Yes, I prefer alerts that aren't like reading a tabloid (albeit still not
> that great):
> 
> http://www.cert.org/advisories/CA-2003-07.html
> 
> or better yet:
> 
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:04.sendmail.asc
> 

No kidding. I think it's higher-profile because it's the first[1] 
vulnerability released under the Department of Homeland Security's newly 
watchful eyes. The announcement I got from SANS reads like a press kit[2].

Are all new vulnerabilities going to be released this way? I have a pdf 
of the final cyber defense plan around here someplace, but I've never 
been able to get through that either..


[1] I'm not sure it's the first. I scanned the text but didn't see an 
advisory number, the snort buffer overflow that this one shared an email 
with is 03-003, so maybe it's actually the second

[2] I would think it's OK to post this...
***********************************************************************
Here's the DHS/NIPC Advisory

Remote Sendmail Header Processing Vulnerability

SUMMARY:

The Department of Homeland Security (DHS), National Infrastructure
Protection Center (NIPC) is issuing this advisory to heighten
awareness of the recently discovered Remote Sendmail Header Processing
Vulnerability (CAN-2002-1337). NIPC has been working closely with
the industry on vulnerability awareness and information dissemination.

The Remote Sendmail Header Processing Vulnerability allows local and
remote users to gain almost complete control of a vulnerable Sendmail
server. Attackers gain the ability to execute privileged commands using
super-user (root) access/control. This vulnerability can be exploited
through a simple e-mail message containing malicious code. Sendmail is
the most commonly used Mail Transfer Agent and processes an estimated
50 to 75 percent of all Internet e-mail traffic. System administrators
should be aware that many Sendmail servers are not typically shielded
by perimeter defense applications. A successful attacker could install
malicious code, run destructive programs and modify or delete files.

Additionally, attackers may gain access to other systems
thru a compromised Sendmail server, depending on local
configurations. Sendmail versions 5.2 up to 8.12.8 are known to be
vulnerable at this time.

DESCRIPTION:

The Remote Sendmail Header Processing Vulnerability is exploited
during the processing and evaluation of e-mail header fields collected
during an SMTP transaction. Examples of these header fields are the
"To", "From" and "CC" lines. The crackaddr() function in the Sendmail
headers.c file allows Sendmail to evaluate whether a supplied address
or list of addresses contained in the header fields is valid. Sendmail
uses a static buffer to store processed data. It detects when the
static buffer becomes full and stops adding characters. However,
Sendmail continues processing data and several security checks are
used to ensure that characters are parsed correctly. The vulnerability
allows a remote attacker to gain access to the Sendmail server by
sending an e-mail containing a specially crafted address field which
triggers a buffer overflow.

RECOMMENDATION:
Due to the seriousness of this vulnerability, the NIPC is strongly
recommending that system administrators who employ Sendmail take this
opportunity to review the security of their Sendmail software and to
either upgrade to Sendmail 8.12.8 or apply the appropriate patch for
older versions as soon as possible.
Patches for the vulnerability are available from Sendmail, from ISS who
discovered the vulnerability and from vendors whose applications
incorporate Sendmail code, including IBM, HP, SUN, Apple and SGI. Other
vendors will release patches in the near future.
The primary distribution site for Sendmail is: http://www.sendmail.org
Patches and information are also available from the following sites:
The ISS Download center http://www.iss.net/download
IBM Corporation http://www.ibm.com/support/us/
Hewlett-Packard , Co. http://www.hp.com
Silicon Graphics Inc. http://www.sgigate.sgi.com
Apple Computer, Inc. http://www.apple.com/
Sun Microsystems, Inc. http://www.sun.com/service/support/
Common Vulnerabilities and Exposure (CVE) Project http://CVE.mitre.org

As always, computer users are advised to keep their anti-virus and
systems software current by checking their vendor's web sites frequently
for new updates and to check for alerts put out by the DHS/NIPC,
CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages
recipients of this advisory to report computer intrusions to their local
FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate
authorities. Recipients may report incidents online to
http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning
Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch at fbi.gov.


====

Background on government/industry cooperation to mitigate damage

The Sendmail Vulnerability Announced Today, March 3, 2003
How Well Did The Cyber Defense Community Do?

Today, hundreds of thousands of people learned of a vulnerability in
the sendmail program which is widely used for Internet mail handling.
A vulnerability in such a widely used open source software program
presents difficult challenges for the cyber defense community -
including the need to get more than twenty different software
organizations to act quickly and silently to develop patches.

Three primary actions are required to respond effectively to such
a vulnerability:

1. Verify that the vulnerability exists and is important.
2. Contact the key technical personnel at each of the software
companies and other groups that distribute sendmail (either alone or
with other software) and ensure that they develop and test patches
and make them ready for widespread distribution.
3. Plan and execute an early warning and distribution strategy
that enables critical infrastructure organizations in the US and in
partner countries to be prepared for rapid deployment of the patches
once they are ready.  This must be accomplished without leaking data
about the vulnerability to the black hat community that exploits such
vulnerabilities by creating worms like Code Red, Slapper, and Slammer.

When possible, several other actions may be appropriate:

4. Provide military and other very sensitive organizations with early
access to the patches so their systems can be protected even before
public disclosure of the vulnerability.
5. Use sensor networks with smart filters to test for exploitation.
6. Develop and distribute filters that can block the offending packets
to protect systems that cannot or will not install patches immediately.

On Saturday, March 1, 2003, the US Department of Homeland Security
became fully operational, although the elements of the new department
had been working together for several weeks.  In cybersecurity, the new
Department brings together four highly visible cybersecurity agencies:
(1) The National Infrastructure Protection Center from the FBI, (2)
FedCIRC from the General Services Administration, (3) the National
Communications System program from the US Department of Defense, and
(4) the Critical Infrastructure Assurance Office from the Department
of Commerce.

Today's disclosure of a vulnerability in sendmail offers the
opportunity to see how quickly and effectively the cyber defense
community, led by this new Department, can respond to important
threats.

Sendmail's vulnerability offers a legitimate test because sendmail
handles a large amount of Internet mail traffic and is installed on
at least 1.5 million Internet-connected systems. More than half of
the large ISPs and Fortune 500 companies use sendmail, as do tens of
thousands of other organizations. A security hole in sendmail affects
a lot of people and demands their immediate attention.

You can draw your own conclusion on how well the problem is being
handled. Here are the facts:

1. On Friday, February 14, telephone calls to the Department of
Homeland Security (DHS) and the White House Office of Cyberspace
Security alerted the US government to a suspected sendmail
vulnerability. The source of the data was Internet Security
Systems (ISS), a well-respected security firm with solid security
research credentials, giving the data an initial base level of
credibility. However, to be more certain, DHS technical experts
reviewed the details of the vulnerability and especially the
tests that ISS had run to prove the existence and severity of the
vulnerability. They were convinced.

2. Almost immediately the DHS/White House team, working with ISS,
contacted vendors that distribute sendmail, including Sun, IBM,
HP, and SGI, as well as the Sendmail Consortium, the organization
that develops the open source version of sendmail that is the core
of sendmail distributed with both free and commercial operating
systems. Partially because of government involvement, but primarily
because the vulnerability involved the widely used sendmail package,
the vendors immediately started working together on patches.

3. The DHS/White House staff contacted and shared what they knew with
the US Department of Defense and the Federal CIO Council. Through the
Federal CIO Council, the US FedCIRC and US Office of Management and
Budget were added to the coordinating team. Together the government
planners, ISS, and the vendors developing patches worked out a plan
for public dissemination of the vulnerability information and patch
distribution.

4. To help ensure that the open source LINUX and BSD distributions
(Red Hat, SUSE, OpenBSD, etc.) developed patches, the Computer
Emergency Response Team at Carnegie Mellon University (CERT/CC) was
brought into the project. CERT/CC deployed its formalized process to
inform the LINUX and BSD distribution developers and to assist them
in getting the corrected source code and any additional knowledge
needed to create the patch. CERT/CC (which is funded, in part, by two
organizations being merged into DHS and by the DoD) also created an
advisory to educate system administrators and the security community
in general on the vulnerability, on which systems are affected,
and on where to get the patches for each affected system.

5. Some of the large commercial vendors developed the patches very
quickly, but the delayed notice to smaller sources of sendmail
distributions and limited resources at those organizations meant
that not all the patches would be ready by early in the week of
February 23. The coordinating group faced a decision of whether to
release data about the exploit before most patches were ready or to
wait. The answer depended on whether they had reason to believe an
exploit was already being used by attackers. They had two sources
of information that led them to conclude waiting an extra week was
acceptable. First, people who monitored the hacker discussion groups
reported that this vulnerability did not seem to be one that was being
discussed. Second, the organization that discovered the vulnerability,
ISS, had deployed sensors for the exploit in a number of places
around the world. Those sensors were showing no exploits. Based on
both sets of data, the coordination group decided to schedule the
announcement for Monday, March 3. A second-order reason to schedule
a Monday announcement was that some members of the team believed
that Monday-Tuesday announcements generate more rapid and complete
patching than announcements made late in the week.

6. Since some of the patches were ready, the coordination group
decided to provide what was available to the US DoD so that military
sites could have the protection as early as possible. The military
distributions took place on or around February 25 and 26.

7. On February 27 and 28, government groups in the US and in several
other countries were given early warnings, without details about how
the vulnerability could be exploited, to help them plan for rapid
deployment of the patches when they were released on March 3. In
addition to the Chief Information Officers of US Cabinet level
departments, and the directors or deputy directors of national
cyber security offices in several other countries, the officers of
the critical infrastructure Information Sharing And Analysis Centers
(ISACs) were also briefed so they could be ready for rapid information
distribution to commercial organizations such as banks and utilities,
that comprise the critical infrastructure.

8. On March 3, beginning about 10 am EST, alerts began flowing to
federal agencies from FedCIRC and to the critical infrastructure
companies from the ISACs. At noon, ISS released their advisory,
followed by CERT/CC's general release. Once the data was public,
the SANS Institute also issued a release and scheduled free web-based
education programs.







More information about the talk mailing list