home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Forum of Incident Response & Security Teams
/
Forum_of_Incident_Response_and_Security_Teams_FIRST_October_1994.iso
/
teaminfo
/
nasirc
/
nasa9408.txt
< prev
next >
Wrap
Text File
|
1994-07-02
|
5KB
|
101 lines
NASIRC BULLETIN # 94-08 March 23, 1994
NEW Security Vulnerability in Sendmail (v8.6.7 and older)
===========================================================
__ __ __ ___ ___ ____ ____
/_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\
| |\ \| || / \ \ | /\/ | || | /\ \/ | | \/
| ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | |
| || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
|_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/
NASA Automated Systems Incident Response Capability
===========================================================
NASIRC recently received notification of a new security vulnerability
in all versions of sendmail 8.x prior to the current release (8.6.8),
as well as several vendors' versions of sendmail. NOTE: THIS BULLETIN
SUPERCEDES NASIRC BULLETIN #94-07 OF 15-MAR-1994.
THE PROBLEM:
According to the sendmail author, users could gain unauthorized root
access by using certain unique values for the "-d" flag (this is the
same bug that drove the v8.6.7 release last week). Although the bug
only works if sendmail is run from the command line, it could allow
users to read any file on the system. This problem is found only in
version 8 releases of sendmail; other sendmail versions (e.g., IDA,
smail, etc.) are not affected.
FIXING THE PROBLEM:
NASIRC strongly recommends that you install version 8.6.8 of sendmail
immediately. The new sendmail release is available via Anonymous FTP
from nasirc.nasa.gov under the following directories:
o For Ultrix 4.X systems: /toolkits/DEC/Ultrix_4_x
o For Silicon Graphics, Inc. systems: /toolkits/UNIX/Sendmail/SGI
o For SunOS 4.1.x systems: /toolkits/UNIX/Sendmail/Sun_4_1_x
o For compressed source code to build sendmail 8.6.8 from scratch:
/toolkits/UNIX/Sendmail/Source_Code
We plan to make other sendmail version 8.6.8 builds available if and
when they become available to us; please note that the variety of
"flavors" of UNIX and of hardware environments prevents us from abso-
lutely guaranteeing full "turn key" installations.
NASIRC will continue to monitor the situation and will post additional
information as appropriate. If you have any questions on this subject,
feel free to contact us at any of the venues listed below.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
NASIRC ACKNOWLEDGES: John Ray and Todd Welch of the NASA Ames
Research Center for forwarding this information, and John Howells
of NASA-Ames for creating the various builds of sendmail 8.6.8 on
very short notice.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
===============================================================
For further assistance, please contact the NASIRC Helpdesk:
Phone: 1-800-7-NASIRC Fax: 1-301-441-1853
Internet Email: nasirc@nasa.gov
24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
STU III: 1-301-982-5480
===============================================================
This bulletin may be forwarded without restriction to sites and
system administrators within the NASA community.
The NASIRC online archive system is available via anonymous ftp.
Just ftp to nasirc.nasa.gov and login as anonymous. You will be
required to enter your valid e-mail address. Once there you can
access the following information:
/bulletins ! contains NASIRC bulletins
/information ! contains various informational files
/toolkits ! contains automated toolkit software
Information maintained in these directories is updated on a con-
tinuous basis with relevant software and information. Contact
the NASIRC Helpdesk for more information or assistance with tool
kits or security measures.
-----------------
PLEASE NOTE: Users outside of the NASA community may receive NASIRC
bulletins. If you are not part of the NASA community, please contact
your agency's response team to report incidents. Your agency's team
will coordinate with NASIRC, who will ensure the proper internal
NASA team(s) are notified. NASIRC is a member of the Forum of
Incident Response and Security Teams (FIRST), a world-wide organiza-
tion which provides for coordination between incident response teams
in handling computer-security-related issues. You can obtain a list
of FIRST member organizations and their constituencies by sending
email to docserver@first.org with an empty "subject" line and a
message body containing the line "send first-contacts".