X
Tech

New Sendmail glitch makes two in March

A serious security vulnerability has been found in the popular Sendmail software, which processes 60 percent to 70 percent of the world's e-mail.
Written by Patrick Gray, Contributor
A serious security vulnerability has been found in the popular Sendmail software, which processes 60 percent to 70 percent of the world's e-mail.

The flaw was discovered by U.S.-based security researcher Michal Zalewski, and is separate from the one discovered by Internet Security Systems earlier this month. "I've confirmed this is a local issue, and my initial impression is that a remote attack possibility is not that unlikely," Zalewski said in a statement.

The bug was found in the prescan function, which is used to parse e-mail addresses from incoming messages. By sending a malformed e-mail message to a Sendmail server, it may be possible for a remote attacker to gain entry to vulnerable machines.

U.S.-based vulnerability coordination center CERT claimed that most companies are likely to be affected by the new glitch.

"Most medium-sized to large organizations are likely to have at least one vulnerable Sendmail server," CERT said in an advisory.

The advisory also pointed out that companies may not even know they are running Sendmail because it is enabled by default in many Unix and Linux distributions.

Because the vulnerability is exploitable through malformed messages, companies using other software to relay mail to a Sendmail server on an internal network segment will also be affected.

"An MTA (mail transfer agent) that does not contain the vulnerability will pass the malicious message along to other MTAs that may be protected at the network level...Sendmail servers on the interior of a network are still at risk," CERT said.

Security researcher Matthew McGlashan, who is based at AusCERT at the University of Queensland, says that an exploit to the latest vulnerability isn't known to be circulating. "It's fairly new...there's more chance of attackers going after the first (flaw) rather than this," he said.

But McGlashan said there's no point risking it--companies running Sendmail should patch it as soon as possible. "In these situations, you just wouldn't take any chances...it's good practice (by mitigating) by patching if you can," he said.

Alternatively, system administrators can run the Sendmail process as a low-level user instead of root, hence minimizing the impact of the vulnerability, McGlashan said.

ZDNet Australia's Patrick Gray reported from Sydney.

Editorial standards