Nortel Networks Information for VU#897604

Sendmail address parsing buffer overflow

Status

Affected

Vendor Statement

The following Nortel Networks Wireless products are potentially affected by the vulnerabilities identified in CERT Advisory CA-2003-12:

  • SS7 IP Gateway.
    Nortel Networks recommends disabling Sendmail as it is not used.
  • Wireless Preside OAM&P Main Server.
    Sendmail should not be disabled on these products.

The following Nortel Networks Enterprise Voice IVR products are potentially affected by the vulnerabilities identified in CERT Advisory CA-2003-12:
  • MPS1000
  • MPS500
  • VPS
  • CTX
All the above products deploy Sendmail; it should not be disabled on these products.

For all of the above products Nortel Networks recommends applying the latest Sun Microsystems patches in accordance with that vendor's recommendations. To avoid applying patches twice, please ensure that the Sun Microsystems patch applied also addresses the vulnerability identified in CERT Advisory CA-2003-07.

The following Nortel Networks Succession products are potentially affected by the vulnerability identified in CERT Advisory CA-2003-12:
  • SSPFS-based CS2000 Management Tools
  • GWC Element Manager and QoS Collector Application (QCA)
  • SAM21 Element Manager
  • Audio Provisioning Server (APS) and APS client GUI
  • UAS Element Manager
  • Succession Media Gateway 9000 Element Manager (Mid-Tier and Server)
  • Network Patch Manager (NPM)
  • Nodes Configuration, Trunk Configuration, Carrier Endpoint
  • Configuration, Lines Configuration (Servord+), Trunk Maintenance Manager, Lines Maintenance Manager, Line Test Manager, V5.2 Configuration and Maintenance, PM Poller, EMS Proxy Services, and Common Application Launch Point
A product bulletin will be issued shortly.

Sendmail has been disabled in SN06 and therefore SN06 is not vulnerable. A patch for SN05 is currently under development that will disable Sendmail in SN05 so that it will not be affected by the vulnerability identified in CERT Advisory CA-2003-12. The availability date for the SN05 patch is still to be determined.

For more information please contact Nortel at:
    North America: 1-800-4NORTEL or 1-800-466-7835
    Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009

Contacts for other regions are available at
    <http://www.nortelnetworks.com/help/contact/global/>

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Vendor References

    None

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.