SECURITY
Experts warn of gaping hole in Sendmail
04-03-2003
by John Cradden
A new high-level warning has been released about a serious vulnerability in Sendmail, the most widely used software for sending e-mail.
Sendmail, one of the oldest e-mail server applications in existence, has a flaw that allows an attacker to take control of an e-mail server, read its contents and use it to run a massive denial of service attack.
The flaw was discovered in late December by a US e-security firm, Internet Security Systems, which quietly passed on the information to the US Department of Homeland Security, which then worked together for two months to develop patches.
The age of the product and the variety of different versions available apparently required up to 20 different software vendors to get involved in fixing the flaw.
The software, based on an open source program developed in 1981 for transmitting messages at the University of California at Berkeley, is installed on more than a million server computers, according to the company that makes the product.
It is estimated that between 50 percent and 75 percent of all the Internet's e-mail is handled by the various versions of Sendmail, making the flaw particularly pervasive.
Although no attacks have been reported so far, attackers tend to write viruses for the most popular software, making Sendmail a likely candidate for attack.
The whole affair has clearly been handled in a secretive manner that would allow vendors time to develop patches before attackers became aware of it, said Dermot Williams of e-security firm Systemhouse. "It gives them a two month headstart," he said.
Williams said that there were likely to be thousands of large-scale servers and ISP systems in Ireland and elsewhere that would have Sendmail.
The flaw primarily affects Unix and Linux systems and a limited number of Windows servers that carry the Sendmail software.
Williams said that the very fact of the vulnerability's existence in an e-mail system meant that attacks could be started simply by sending an e-mail designed to exploit a buffer overload, which can be very dangerous. The flaw is exploited by sending e-mail with information that is designed to spill into an overflow area, where an attacker can then install code to gain remote access over the computer.
The widespread use of Sendmail means that some companies will inevitably be affected, he said.
Gary Delaney, senior security consultant with Priority Data, says that the first thing IT managers should do is check which version of Sendmail they are using.
Systems with the official version 8.12.8 are thought to be safe, but many companies will have modified versions for IBM, Solaris or HP systems, for instance. These companies are likely to have their own patches.
More information on the vulnerability and links to patches are available from CERT.
Caped Koala Studios has built a virtual world for kids, combining education and social networking 