SUMMARY - Sun sendmail vulnerabilities

From: Jim Napier (jnapier@soemail.ucsd.edu)
Date: Wed Jan 03 1996 - 19:43:59 CST


The concensus was that the sendmail in Solaris 2.5 is as secure as the
most recent 8.7 versions of Allman's sendmail, since it incorporates
changes he made for the 8.7 version. Casper Dik said that a fully
patched Solaris 2.4 system will have a sendmail that is only marginally
worse off than the 2.5 one. Some folks suggested not ever using any
Sun distributed sendmail.

Although I didn't specifically ask about SunOS 4.1.x, it doesn't
appear that for that OS (or earlier versions) you have any choice
but to use 8.7 if you want a secure sendmail.

Thanks to:

Casper Dik
Daniel Blander
James W. Abendschan
Jim McBride
R A Lichtensteiger
Christopher Eastman

/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/

Jim Napier jnapier@soe.ucsd.edu
Systems Administration (619)534-5212
School of Engineering
UC San Diego

/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/

>From Daniel.Blander@ACSacs.com Fri Dec 29 22:43 PST 1995
Return-Path: <Daniel.Blander@ACSacs.com>
From: "Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel.Blander@ACSacs.com>
X-Sender: phaedrus@ferrari
To: Jim Napier <jnapier@soemail.ucsd.edu>
Cc: sun-managers@ra.mcs.anl.gov
Subject: Re: Sun sendmail vulnerabilities
In-Reply-To: <9512292134.AA07345@soeadm>
Mime-Version: 1.0
Status: RO
X-Lines: 52
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Content-Length: 2268

In regards to this message, I just upgraded from Solaris 2.3 to
Solaris 2.5 on my main office server. My Internet server (mail gateway) is
Solaris 2.4 with the fully patched sendmail. My 2.3 sendmail.cf
file from my main server was retained. While Sun claims the 2.5
version is more secure, I ran into infuriating bugs. I got
pine to hang during its communication with sendmail and it wouldn't
release until I killed the sendmail process it was talking to. I got
broken connections from PCNFS E-mail (PCNFSpro & PCNFS), and
aliases didn't read in correctly (I do reverse name resolution
with NIS+ via a trick I picked up from Sun - but now that won't
work correctly along with *all* my other "normal" aliases). I put the
patched sendmail from my 2.4 server onto my 2.5 server and
everything ran hunky-dory. I even found a bug report in SunSolve
regarding putting \r\n on the end of the Mether entry to handle
the broken connections from PCNFS - no avail.....

Anyone encountering this or similar problems with 2.5 sendmail?
Recall - with 2.4 sendmail no problems. With 2.5 - grrrrrr.....

P.S. Jim, according to Sun, all the holes in 2.4 sendmail are
patched in 2.5. In fact the last CERT bulletin I got listed
sendmail for 2.5 as one of the "good" versions - including patches
for the syslog/sendmail vulnerability.

On Fri, 29 Dec 1995, Jim Napier wrote:

> Date: Fri, 29 Dec 1995 13:34:50 -0800
> From: Jim Napier <jnapier@soemail.ucsd.edu>
> To: sun-managers@ra.mcs.anl.gov
> Subject: Sun sendmail vulnerabilities
>
>
> What's the opinion of this group on the current status of sendmail
> vulnerabilities under Solaris 2.4 and 2.5? Are they fixed yet in 2.5?
> I believe there still were some security holes under 2.4. Thanks.
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Daniel Blander =8^)
 Sr. Systems Engineer Applied Computer Solutions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Phone: (714) 842.7800 Fax: (714) 842.8299
 Email: Daniel.Blander@acsacs.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 The Official Applied Computer Solutions Home Page
             and Tech Tip of the Week:
               http://www.acsacs.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

>From casper@holland.Sun.COM Sat Dec 30 05:24 PST 1995
Return-Path: <casper@holland.Sun.COM>
To: jnapier@soemail.ucsd.edu (Jim Napier)
X-Orig-Cc: sun-managers@ra.mcs.anl.gov
Subject: Re: Sun sendmail vulnerabilities
In-Reply-To: Your message of "Fri, 29 Dec 1995 13:34:50 PST."
             <9512292134.AA07345@soeadm>
From: Casper Dik <casper@holland.Sun.COM>
Content-Type: text
Content-Length: 1009
Status: RO
X-Lines: 24

>
>What's the opinion of this group on the current status of sendmail
>vulnerabilities under Solaris 2.4 and 2.5? Are they fixed yet in 2.5?
>I believe there still were some security holes under 2.4. Thanks.

The sendmail shipped in Solaris 2.4 is a port of teh sendmail
shipped with SunOS 4.1.x and has more or less the same vulnerabilities,
though it was ported after a number of them where fixed.

The latest sendmail patch for Solaris 2.4 includes sendmail 8.6.12, a much
more secure version, with many of Sun's enhancements backported to it.
You'll find those changes in 8.7.x as well, as SUn donated its changes
to Eric Allman who integerated many of them. That makes it easier
for Sun to keep relatively current with sendmail.

The syslog() problem still exists in sendmail 8.6.12 but since syslog
is fixed in 2.5 that problem is gone there too.
You'll need an extra patch for syslog() in 2.4 (POINT patch, integrated
in the next public kernel jumbo patch).
(Similar patches exist for 2.3)

Casper

>From jwa@nbs.nau.edu Sat Dec 30 18:00 PST 1995
Return-Path: <jwa@nbs.nau.edu>
From: jwa@nbs.nau.edu
Subject: Re: Sun sendmail vulnerabilities
To: jnapier@soemail.ucsd.edu
In-Reply-To: <9512292134.AA07345@soeadm> from "Jim Napier" at Dec 29, 95 01:34:50 pm
X-Mailer: ELM [version 2.4 PL24]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Status: RO
X-Lines: 13
Content-Type: text/plain; charset="US-ASCII"
Content-Length: 552

> What's the opinion of this group on the current status of sendmail
> vulnerabilities under Solaris 2.4 and 2.5? Are they fixed yet in 2.5?
> I believe there still were some security holes under 2.4. Thanks.

As I understand, 2.5 is shipped with sendmail 8.7 (which fixes
"all bugs we know about" :).

James

-- 
James W. Abendschan                                     Email: jwa@nbs.nau.edu
UNIX Systems Programmer/Administrator                   Voice: (520) 556-7466
Colorado Plateau Research Station, Flagstaff, AZ        FAX:   (520) 556-7500 

>From jmcbride@neog.com Sat Dec 30 21:45 PST 1995 Return-Path: <jmcbride@neog.com> From: "James G. McBride" <jmcbride@neog.com> To: Jim Napier <jnapier@soemail.ucsd.edu> Subject: Re: Sun sendmail vulnerabilities In-Reply-To: <9512292134.AA07345@soeadm> Mime-Version: 1.0 Status: RO X-Lines: 30 Content-Type: TEXT/PLAIN; charset="US-ASCII" Content-Length: 1168

On Fri, 29 Dec 1995, Jim Napier wrote:

> > What's the opinion of this group on the current status of sendmail > vulnerabilities under Solaris 2.4 and 2.5? Are they fixed yet in 2.5? > I believe there still were some security holes under 2.4. Thanks. > > /=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/ > > Jim Napier jnapier@soe.ucsd.edu > Systems Administration (619)534-5212 > School of Engineering > UC San Diego > > /=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/ > Stock sendmail and sendmail-mx that come with solaris are utterly useless for anyone who is interested in actually using email. Its some crappy version of IDA sendmail 5.6.x if I remember correctly and aside from being super cheesey, its full of holes. Always run the most current sendmail release. You can ftp it from ftp.cs.berkeley.edu in /pub/sendmail. Current as of today is 8.7.2.

Jim

--- Jim McBride jmcbride@neog.com Neoglyphics Media Corp. http://www.neog.com

>From rali@meitca.com Tue Jan 2 05:30 PST 1996 Return-Path: <rali@meitca.com> From: Reto Lichtensteiger <rali@meitca.com> Subject: Re: Sun sendmail vulnerabilities To: jnapier@soemail.ucsd.edu In-Reply-To: <9512292134.AA07345@soeadm> from "Jim Napier" at Dec 29, 95 01:34:50 pm Reply-To: rali@meitca.com X-Org: Mitsubishi Electric ITA Waltham MA 02154 [USA] 617 466 8304 X-Mailer: ELM [version 2.4 PL24alpha5] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Status: RO X-Lines: 20 Content-Type: text/plain; charset="US-ASCII" Content-Length: 884

Back at the ranch, Jim Napier scribed:

<> What's the opinion of this group on the current status of sendmail <> vulnerabilities under Solaris 2.4 and 2.5? Are they fixed yet in 2.5? <> I believe there still were some security holes under 2.4. Thanks.

At LISA last fall, Eric Allman said Sun was going to be using a version of sendmail 8.7 as a bassis for the sendmail shipped with 2.5, so I would expect it to be pretty good. Nevertheless, I don't think you can go wrong by sticking to the "original" and getting the source distributions and keeping up with the changes. One major convenience for the non-cf fluent will be generic config files for 8.7.x from the Sun distribution.

Regards,

Reto L. -- R A Lichtensteiger rali@meitca.com -or- rali@hri.com http://www.meitca.com/ITA/People/rali.html "Yes, you're doing things right, but are you doing the right things?"

>From chris@cwi.net Tue Jan 2 17:45 PST 1996 Return-Path: <chris@cwi.net> From: Chris Eastman <chris@cwi.net> Subject: Re: Sun sendmail vulnerabilities To: Jim Napier <jnapier@soemail.ucsd.edu> In-Reply-To: <9512292134.AA07345@soeadm> Mime-Version: 1.0 Status: RO X-Lines: 15 Content-Type: TEXT/PLAIN; charset="US-ASCII" Content-Length: 689

Don't run stock Sun mail of any type - get sendmail 8.7.x, there are several vulnerabilities with the above mentioned, primarily the syslogd exploit - don't run any 8.6.x either, as identd spoofing attacks exist that allow commands to be piped thru sed/awk type programs to execute commands from remote. If you want more info I will be glad to help you out.

--chris

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Christopher Eastman %% Cable & Wireless, Inc %% %% MDS Network Engineer %% 1919 Gallows Road %% %% chris@cwi.net %% Vienna, VA 22182 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:50 CDT