Security Vulnerability in sendmail(1M) Versions Prior to 8.13.6


Category :Security
Release Phase :Resolved
Product :Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System  
Bug Id :6397275, 6403051  
Date of Resolved Release :17-APR-2006  

Security Vulnerability in sendmail(1M) Versions Prior to 8.13.6


Impact

A local or remote unprivileged user may be able to execute arbitrary code with elevated privileges or cause a Denial of Service (Dos) condition due to a security vulnerability in the sendmail(1M) daemon involving signal handling.

This issue is referenced in the following documents:

CVE-2006-0058 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058

CERT VU#834865 http://www.kb.cert.org/vuls/id/834865 which is referenced in CERT Technical Cyber Security Alert TA06-081A: http://www.us-cert.gov/cas/techalerts/TA06-081A.html


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

x86 Platform

  • Solaris 8 without patch 110616-14
  • Solaris 9 without patch 114137-05
  • Solaris 10 without patch 122857-01

Notes:

1. The current Solaris 8 sendmail patches (110615-13 for SPARC and 110616-13 for x86) update sendmail to version 8.11.7p1+Sun. This version of sendmail is affected by this vulnerability.

The Solaris 8 patches which will address this vulnerability will update sendmail to version 8.11.7p2+Sun. This is a minor change to this version of sendmail and this is tracked using BugID 6403051.

The Solaris 9 and 10 patches which address this issue will update sendmail directly to version 8.13.6+Sun.

2. This issue only affects systems which have sendmail enabled. Sendmail versions prior to 8.13.6 are impacted by this issue.

To determine the version of sendmail(1M) running on a system, the mconnect(1) command can be used, as in the following example:

    $ /usr/bin/mconnect
    connecting to host localhost (127.0.0.1), port 25
    connection open
    220 an.example.com ESMTP Sendmail 8.13.5+Sun/8.13.5; 
    Mon, 20 Mar 2006 17:07:57 GMT
    quit
    221 2.0.0 an.example.com closing connection

If sendmail is not running on the system the mconnect(1) command will report the following:

    $ /usr/bin/mconnect
    connecting to host localhost (127.0.0.1), port 25
    connect: Connection refused

Symptoms

There are no reliable symptoms that would indicate this issue has been exploited to execute arbitrary commands with elevated privileges on a system. The symptoms of the Denial of Service would be the sendmail daemon no longer running.


Workaround

Until patches can be applied, sites may wish to block access to the affected service from untrusted networks such as the Internet, or disable the sendmail daemon where possible. Use a firewall or other packet-filtering technology to block the appropriate network ports. Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports.

The sendmail daemon can be disabled using the following commands:

For Solaris 9:

    # /etc/init.d/sendmail stop

This will disable sendmail on the running system but it will be restarted on reboot. To disable sendmail for future reboots, the '/etc/rc2.d/S88sendmail' script will need to be renamed so that it no longer begins with an 'S', as in the following example:

    # mv /etc/rc2.d/S88sendmail /etc/rc2.d/not-S88sendmail

For Solaris 10:

    # svcadm disable svc:/network/smtp:sendmail

This will disable the sendmail daemon for future reboots as well. To re-enable sendmail, the 'enable' subcommand can be supplied to svcadm(1M) with the same FMRI for sendmail above.


Resolution

This issue is addressed in the following releases:

SPARC Platform

x86 Platform

  • Solaris 8 with patch 110616-14 or later
  • Solaris 9 with patch 114137-05 or later
  • Solaris 10 with patch 122857-01 or later



Modification History


Date: 24-MAR-2006

24-Mar-2006:

  • Updated Contributing Factors

Date: 27-MAR-2006

27-Mar-2006:

  • Updated Contributing Factors and Relief/Workaround sections

Date: 30-MAR-2006

30-Mar-2006:

  • Updated Relief/Workaround section

Date: 03-APR-2006

03-Apr-2006:

  • Updated Contributing Factors and Resolution sections

Date: 07-APR-2006

07-Apr-2006:

  • Updated Contributing Factors and Resolution sections

Date: 17-APR-2006

17-Apr-2006:

  • Updated Contributing Factors and Resolution sections



Attachments
This solution has no attachment
 
Sun support customers:
more support information is available after you sign in.
 
»   Login
»   Register
»   Lost UserName/Password
 
Login Required

You must login and have a valid contract to access Sun's Premium content which includes:

  • Sun Alerts
  • Bugs
  • Patches
  • Solutions
  • White Papers
  • Documentation
  • Support Knowledge

Login Required

You must login and have a valid contract to access Sun's contracted features

Access Legend:

(Login to access)   Sun Contracted Content
(Login to access)   Sun Contracted Feature

Please make use of SunSolve Feedback application by selecting the floating [+] to provide feedback about this specific document.

Search
Article Details
Article ID : 200494
Article Type : Sun Alert
Last reviewed : 2010-01-04
Audience : PUBLIC
Keywords :
Provide feedback  (help)
Page Tools
»  Print This Page
»  Email This Article
»  Bookmark This Article
Security Support
»   Security Center
»   Report Security Vulnerabilities
»   Security PGP Key
»   Sun Alert Notifications - RSS Feeds
»   Sun Alert Notifications - eNewsletter
»   Solaris Fingerprint Database
 
SunSolve Navigation
»   Forums for contracted customers
»   Licenses
»   Log a Service Request
»   Patches and Updates
»   Product Download Center
»   SunSystem Handbook
»   SunSolve Japan
SunSolve Feedback, Help and Updates
»   Blog
»   Community
»   Feedback
»   Help
»   Learn about SunSolve
»   Twitter
About Oracle | Oracle and Sun | Oracle RSS Feeds | Subscribe | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Your Privacy Rights | Copyright © 2010, Oracle Corporation and/or its affiliates | SunSolve Version 7.4.2 #1