Nortel Networks Information for VU#398025

Remote Buffer Overflow in Sendmail

Status

Affected

Vendor Statement

The following Nortel Networks Wireless products are potentially affected by the vulnerabilities identified in CERT Advisory CA-2003-07:

      SS7 IP Gateway. Nortel Networks recommends disabling Sendmail as it is not used.
      Wireless Preside OAM&P Main Server. Sendmail should not be disabled on these products.


The following Nortel Networks Enterprise Voice IVR products are potentially affected by the vulnerabilities identified in CERT Advisory CA-2003-07:
      MPS1000
      MPS500
      VPS
      CTX
All the above products deploy Sendmail; it should not be disabled on these products.

For all of the above products Nortel Networks recommends applying the latest Sun Microsystems patches in accordance with that vendor's recommendations. To avoid applying patches twice, please ensure that the Sun Microsystems patch applied also addresses the vulnerability identified in CERT Advisory CA-2003-12.

The following Nortel Networks Succession products are potentially affected by the vulnerability identified in CERT Advisory CA-2003-07:
      SSPFS-based CS2000 Management Tools
      GWC Element Manager and QoS Collector Application (QCA)
      SAM21 Element Manager
      Audio Provisioning Server (APS) and APS client GUI
      UAS Element Manager
      Succession Media Gateway 9000 Element Manager (Mid-Tier and Server)
      Network Patch Manager (NPM)
      Nodes Configuration, Trunk Configuration, Carrier Endpoint Configuration, Lines Configuration (Servord+), Trunk Maintenance Manager, Lines Maintenance Manager, Line Test Manager, V5.2 Configuration and Maintenance, PM Poller, EMS Proxy Services, and Common Application Launch Point
A product bulletin will be issued shortly.

Sendmail has been disabled in SN06 and therefore SN06 is not vulnerable. A patch for SN05 is currently under development that will disable Sendmail in SN05 so that it will not be affected by the vulnerability identified in CERT Advisory CA-2003-07. The availability date for the SN05 patch is still to be determined.

For more information please contact Nortel at:
      North America: 1-800-4NORTEL or 1-800-466-7835
      Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009
      Contacts for other regions are available at http://www.nortelnetworks.com/help/contact/global/

      Vendor Information

      The vendor has not provided us with any further information regarding this vulnerability.

      Vendor References

      None

      Addendum

      The CERT/CC has no additional comments at this time.

      If you have feedback, comments, or additional information about this vulnerability, please send us email.