Vulnerability Note VU#834865

Sendmail signal I/O race condition

Overview

A race condition in Sendmail may allow a remote attacker to execute arbitrary code.

I. Description

Sendmail

Sendmail is a widely used mail transfer agent (MTA).

Mail Transfer Agents (MTA)

MTAs are responsible for sending an receiving email messages over the internet. They are also referred to as mail servers or SMTP servers.

The Problem

Sendmail contains a race condition caused by the improper handling of asynchronous signals. In particular, by forcing SMTP server to have an I/O timeout at exactly the correct instant, the attacker may be able to execute arbitrary code with the privileges of the Sendmail process.

More information is available in the Sendmail version 8.13.6 release page and the Sendmail MTA Security Vulnerability Advisory.

This vulnerability occurred as a result of failing to comply with recommndations SIG32-C and SIG30-C of the CERT C Programming Language Secure Coding Standard.

Considerations

Versions of Sendmail prior to 8.13.6 are affected.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code with the privileges of the Sendmail process. If Sendmail is running as root, the attacker could take complete control of an affected system.

III. Solution

Upgrade

This issue is corrected in Sendmail version 8.13.6.

Patches to correct this issue in Sendmail versions 8.12.11 and 8.13.5 are also available.

Refer to the Sendmail MTA Security Vulnerability Advisory for steps to reduce the impact of this vulnerability

Systems Affected

Vendor	Status	Date Notified
3com, Inc.	Unknown	8-Mar-2006
Alcatel	Unknown	8-Mar-2006
Apple Computer, Inc.	Not Vulnerable	22-Mar-2006
AT&T	Unknown	8-Mar-2006
Avaya, Inc.	Not Vulnerable	9-Mar-2006
Avici Systems, Inc.	Unknown	8-Mar-2006
Borderware Technologies	Not Vulnerable	21-Mar-2006
Charlotte's Web Networks	Unknown	8-Mar-2006
Check Point Software Technologies	Not Vulnerable	9-Mar-2006
Chiaro Networks, Inc.	Unknown	8-Mar-2006
Cisco Systems, Inc.	Unknown	16-Mar-2006
Computer Associates	Unknown	8-Mar-2006
Conectiva Inc.	Unknown	9-Mar-2006
Cray Inc.	Unknown	9-Mar-2006
D-Link Systems, Inc.	Unknown	8-Mar-2006
Data Connection, Ltd.	Unknown	8-Mar-2006
Debian GNU/Linux	Unknown	9-Mar-2006
EMC, Inc. (formerly Data General Corporation)	Unknown	8-Mar-2006
Engarde Secure Linux	Unknown	8-Mar-2006
Ericsson	Unknown	8-Mar-2006
eSoft, Inc.	Unknown	8-Mar-2006
Extreme Networks	Unknown	8-Mar-2006
F5 Networks, Inc.	Not Vulnerable	22-Mar-2006
Fedora Project	Vulnerable	21-Mar-2006
Force10 Networks, Inc.	Unknown	8-Mar-2006
Fortinet, Inc.	Unknown	8-Mar-2006
Foundry Networks, Inc.	Unknown	8-Mar-2006
FreeBSD, Inc.	Vulnerable	30-Mar-2006
Fujitsu	Unknown	8-Mar-2006
Gentoo Linux	Vulnerable	22-Mar-2006
Global Technology Associates	Unknown	8-Mar-2006
GNU netfilter	Unknown	8-Mar-2006
Hewlett-Packard Company	Vulnerable	27-Mar-2006
Hitachi	Unknown	8-Mar-2006
Hyperchip	Unknown	8-Mar-2006
IBM Corporation	Vulnerable	22-Mar-2006
IBM Corporation (zseries)	Unknown	8-Mar-2006
IBM eServer	Unknown	23-Mar-2006
Immunix Communications, Inc.	Unknown	8-Mar-2006
Ingrian Networks, Inc.	Unknown	8-Mar-2006
Intel Corporation	Unknown	8-Mar-2006
Internet Security Systems, Inc.	Not Vulnerable	23-Mar-2006
Intoto	Not Vulnerable	9-Mar-2006
IP Filter	Unknown	8-Mar-2006
Juniper Networks, Inc.	Not Vulnerable	22-Mar-2006
Linksys (A division of Cisco Systems)	Unknown	8-Mar-2006
Lotus Software	Not Vulnerable	21-Mar-2006
Lucent Technologies	Unknown	8-Mar-2006
Luminous Networks	Unknown	8-Mar-2006
Mandriva, Inc.	Unknown	8-Mar-2006
Microsoft Corporation	Unknown	8-Mar-2006
Mirapoint, Inc.	Not Vulnerable	23-Mar-2006
MontaVista Software, Inc.	Unknown	8-Mar-2006
Multinet (owned Process Software Corporation)	Unknown	8-Mar-2006
Multitech, Inc.	Unknown	8-Mar-2006
NEC Corporation	Not Vulnerable	22-Mar-2006
NetBSD	Vulnerable	3-Apr-2006
Network Appliance, Inc.	Unknown	8-Mar-2006
NextHop Technologies, Inc.	Unknown	8-Mar-2006
Nokia	Unknown	21-Mar-2006
Nortel Networks, Inc.	Not Vulnerable	23-Mar-2006
Novell, Inc.	Unknown	8-Mar-2006
OpenBSD	Vulnerable	27-Mar-2006
Openwall GNU/*/Linux	Not Vulnerable	9-Mar-2006
Oracle Corporation	Unknown	8-Mar-2006
QNX, Software Systems, Inc.	Unknown	8-Mar-2006
Red Hat, Inc.	Vulnerable	21-Mar-2006
Redback Networks, Inc.	Unknown	8-Mar-2006
Riverstone Networks, Inc.	Unknown	8-Mar-2006
Secure Computing Network Security Division	Not Vulnerable	20-Mar-2006
Sendmail.org	Vulnerable	21-Mar-2006
Silicon Graphics, Inc.	Unknown	8-Mar-2006
Slackware Linux Inc.	Vulnerable	24-Mar-2006
Sony Corporation	Unknown	8-Mar-2006
Sun Microsystems, Inc.	Vulnerable	27-Mar-2006
SUSE Linux	Vulnerable	21-Mar-2006
Symantec, Inc.	Not Vulnerable	17-Apr-2006
Syntegra	Unknown	8-Mar-2006
Trustix Secure Linux	Unknown	8-Mar-2006
Turbolinux	Vulnerable	29-Mar-2006
Ubuntu	Vulnerable	22-Mar-2006
Unisys	Unknown	8-Mar-2006
Watchguard Technologies, Inc.	Unknown	8-Mar-2006
Wind River Systems, Inc.	Unknown	8-Mar-2006
ZyXEL	Unknown	8-Mar-2006

References

https://www.securecoding.cert.org/confluence/x/lwAV
https://www.securecoding.cert.org/confluence/x/34At
http://www.sendmail.org/8.13.6.html
http://www.sendmail.com/company/advisory
ftp://ftp.sendmail.org/pub/sendmail/8.13.5.p0
ftp://ftp.sendmail.org/pub/sendmail/8.12.11.p0
http://xforce.iss.net/xforce/alerts/id/216

Credit

Thanks to Sendmail Inc. for reporting this vulnerability. Sendmail credits Internet Security Systems with providing information about this issue.

This document was written by Jeff Gennari.

Other Information

Date Public:	2006-03-22
Date First Published:	2006-03-22
Date Last Updated:	2008-08-14
CERT Advisory:
CVE-ID(s):	CVE-2006-0058
NVD-ID(s):	CVE-2006-0058
US-CERT Technical Alerts:	TA06-081A
Metric:	19.88
Document Revision:	90

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader