MESSAGE
DATE | 2003-03-03 |
FROM | From: "Adam Kosmin"
|
SUBJECT | Subject: [hangout] (fwd) SANS Alert - Critical Vulnerability in Sendmail and a Snort Vulnerability
|
From owner-hangout-desteny-at-mrbrklyn.com Mon Mar 3 14:26:48 2003 Received: from www2.mrbrklyn.com (localhost [127.0.0.1]) by mrbrklyn.com (8.12.3/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id h23JQm8X018107 for ; Mon, 3 Mar 2003 14:26:48 -0500 Received: (from mdom-at-localhost) by www2.mrbrklyn.com (8.12.3/8.12.3/Submit) id h23JQmF8018106 for hangout-desteny; Mon, 3 Mar 2003 14:26:48 -0500 X-Authentication-Warning: www2.mrbrklyn.com: mdom set sender to owner-hangout-at-www2.mrbrklyn.com using -f Received: from www2.mrbrklyn.com (localhost [127.0.0.1]) by mrbrklyn.com (8.12.3/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id h23JQm8X018101 for ; Mon, 3 Mar 2003 14:26:48 -0500 Received: (from ruben-at-localhost) by www2.mrbrklyn.com (8.12.3/8.12.3/Submit) id h23JQm9H018100 for hangout-at-www2.mrbrklyn.com; Mon, 3 Mar 2003 14:26:48 -0500 Received: from mail.med.cornell.edu (mail.med.cornell.edu [140.251.3.3]) by mrbrklyn.com (8.12.3/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id h23JNc8X018032 for ; Mon, 3 Mar 2003 14:23:38 -0500 Received: from koz ([140.251.195.17]) by mail.med.cornell.edu (Netscape Messaging Server 3.6) with ESMTP id AAA3F2C2 for ; Mon, 3 Mar 2003 14:25:53 -0500 Received: from akosmin by koz with local (Exim 3.36 #1 (Debian)) id 18pvRF-00068b-00 for ; Mon, 03 Mar 2003 14:17:25 -0500 Date: Mon, 3 Mar 2003 14:17:25 -0500 To: hangout-at-nylxs.com Subject: [hangout] (fwd) SANS Alert - Critical Vulnerability in Sendmail and a Snort Vulnerability Message-ID: <20030303191725.GR23291-at-koz.nyp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="o99acAvKqrTZeiCU" Content-Disposition: inline User-Agent: Mutt/1.5.3i From: "Adam Kosmin" Sender: owner-hangout-at-mrbrklyn.com Precedence: bulk Reply-To: "Adam Kosmin" List: New Yorkers Linux Scene Admin: To unsubscribe send unsubscribename-at-domian.com to hangout-request-at-www2.mrbrklyn.com X-Keywords: X-UID: 9286 Status: RO Content-Length: 38902 Lines: 874
--o99acAvKqrTZeiCU Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: quoted-printable
----- Forwarded message from The SANS Institute -----
Subject: SANS Alert - Critical Vulnerability in Sendmail and a Snort Vulner= ability =46rom: The SANS Institute To: Adam Kosmin (SD646867)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SANS Alert 2003-03-03 Critical vulnerability in all versions of SENDMAIL Plus a Snort Vulnerability
And an invitation to a web broadcast on the vulnerabilities (SANS Alumni get a two hour window to register before the Invitation goes to others)
The Sendmail Vulnerability What systems are affected? UNIX and Linux Systems running sendmail - probably even those that are not mail servers. Level: CRITICAL - affords root or superuser access
A new critical vulnerability has been discovered in Sendmail. The UNIX and Linux vendors have been working feverishly to get a patch ready and most are available now. Sendmail is too big a target for attackers to ignore, so it makes sense to act immediately to protect your systems.
In this note you will find: (1) The invitation to the webcast (SANS alumni get a two hour head start for registering and only 2,000 people can be accommodated) covering both vulnerabilities (2) The ISS advisory on the new vulnerability and where to find patches (3) A description of what government and industry did to try to mitigate damage from this newly discovered vulnerability. (4) The Department of Homeland Security Alert on the Snort Vulnerability
******************************************************** SANS Web Broadcast (free) on the Sendmail Vulnerability and the Snort=20 Vulnerability
Date: March 3, 2003 (today) Time: 7 PM EST (0000 UTC) Register at: http://www.sans.org/webcasts/030303.php=20 There is an absolute limit of 2,000 people on the live program to ensure quality audio, but the archive will be available about 5 hours later for anyone who does not get a reservation.
Featuring the ISS X-Force folks (ISS discovered the vulnerability), Hal Pomeranz (sendmail expert) and Marty Roesch, author of Sendmail, will brief you on the Snort vulnerability.
Below you'll find the ISS advisory followed by a brief description of what happened behind the scenes inside the Department of Homeland Security.
*********************************************************************** Here=92s the ISS advisory
Internet Security Systems Security Advisory March 3, 2003
Remote Sendmail Header Processing Vulnerability
Synopsis:
ISS X-Force has discovered a buffer overflow vulnerability in the Sendmail Mail Transfer Agent (MTA). Sendmail is the most common MTA and has been documented to handle between 50% and 75% of all Internet email traffic.
Impact:
Attackers may remotely exploit this vulnerability to gain "root" or superuser control of any vulnerable Sendmail server. Sendmail and all other email servers are typically exposed to the Internet in order to send and receive Internet email. Vulnerable Sendmail servers will not be protected by legacy security devices such as firewalls and/or packet filters. This vulnerability is especially dangerous because the exploit can be delivered within an email message and the attacker doesn't need any specific knowledge of the target to launch a successful attack.
Affected Versions:
Sendmail versions from 5.79 to 8.12.7 are vulnerable
Note: The affected versions of Sendmail commercial, Sendmail open source running on all platforms are known to be vulnerable.
Description:
The Sendmail remote vulnerability occurs when processing and evaluating header fields in email collected during an SMTP transaction. Specifically, when fields are encountered that contain addresses or lists of addresses (such as the "From" field, "To" field and "CC" field), Sendmail attempts to semantically evaluate whether the supplied address (or list of addresses) are valid. This is accomplished using the crackaddr() function, which is located in the headers.c file in the Sendmail source tree.
A static buffer is used to store data that has been processed. Sendmail detects when this buffer becomes full and stops adding characters, although it continues processing. Sendmail implements several security checks to ensure that characters are parsed correctly. One such security check is flawed, making it possible for a remote attacker to send an email with a specially crafted address field that triggers a buffer overflow.
X-Force has demonstrated that this vulnerability is exploitable in real- world conditions on production Sendmail installations. This vulnerability is readily exploitable on x86 architecture systems, and may be exploitable on others as well.
Protection mechanisms such as implementation of a non-executable stack do not offer any protection from exploitation of this vulnerability. Successful exploitation of this vulnerability does not generate any log entries.
[removed ISS product-specific information which may be found at https://gtoc.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=3D21950]
For Manual Protection, the affected vendor has offered the following recommendations:
Sendmail urges all users to either upgrade to Sendmail 8.12.8 or apply a patch for 8.12.x (or for older versions). Updates can be downloaded =66rom ftp.sendmail.org or any of its mirrors (try a mirror near to you first), see http://www.sendmail.org/ for details. Remember to check the PGP signatures of patches or releases obtained. For those not running the open source version, check with your vendor for a patch. Sendmail, Inc., the commercial provider of the sendmail MTA, is providing a binary patch for their commercial customers. The patch can be downloaded from Sendmail's Web site at: http://www.sendmail.com/
Sendmail versions that are patched will record the following log entry when exploitation is attempted: "Dropped invalid comments from header address".
Vendor Notification Schedule:
Initial vendor notification: 1/13/2003 Initial vendor confirmation: 1/13/2003 Final release schedule confirmation: 1/31/2003
ISS X-Force worked with Sendmail throughout the notification and release process. X-Force would like to thank Sendmail for their cooperation as well as the National Infrastructure Protection Center (NIPC) for coordinating this issue with elements of National critical infrastructure.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2002-1337 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org), which standardizes names for security problems.
If you are a RealSecure Server Sensor customer, please email Support-at-iss.net for additional protection information. Please enter the words "Server Sensor - Sendmail" in the subject line of your email.
X-Force Database http://www.iss.net/security_center/static/10748.php
For more information on ISS methodology and procedures involved in Security Advisory publication, please review the X-Force Vulnerability Disclosure Guidelines document: http://documents.iss.net/literature/vulnerability_guidelines.pdf
Credit:
This vulnerability was discovered and researched by Mark Dowd of the ISS X-Force.
=3D=3D=3D=3D
Background on government/industry cooperation to mitigate damage
Sendmail
The Sendmail Vulnerability Announced Today, March 3, 2003 How Well Did The Cyber Defense Community Do?
Today, hundreds of thousands of people learned of a vulnerability in the sendmail program which is widely used for Internet mail handling. A vulnerability in such a widely used open source software program presents difficult challenges for the cyber defense community - including the need to get more than twenty different software organizations to act quickly and silently to develop patches.
Three primary actions are required to respond effectively to such a vulnerability:
1. Verify that the vulnerability exists and is important. 2. Contact the key technical personnel at each of the software companies and other groups that distribute sendmail (either alone or with other software) and ensure that they develop and test patches and make them ready for widespread distribution. 3. Plan and execute an early warning and distribution strategy that enables critical infrastructure organizations in the US and in partner countries to be prepared for rapid deployment of the patches once they are ready.=A0 This must be accomplished without leaking data about the vulnerability to the black hat community that exploits such vulnerabilities by creating worms like Code Red, Slapper, and Slammer.
When possible, several other actions may be appropriate:=20
4. Provide military and other very sensitive organizations with early access to the patches so their systems can be protected even before public disclosure of the vulnerability. 5. Use sensor networks with smart filters to test for exploitation. 6. Develop and distribute filters that can block the offending packets to protect systems that cannot or will not install patches immediately.
On Saturday, March 1, 2003, the US Department of Homeland Security became fully operational, although the elements of the new department had been working together for several weeks.=A0 In cybersecurity, the new Department brings together four highly visible cybersecurity agencies: (1) The National Infrastructure Protection Center from the FBI, (2) FedCIRC from the General Services Administration, (3) the National Communications System program from the US Department of Defense, and (4) the Critical Infrastructure Assurance Office from the Department of Commerce.
Today's disclosure of a vulnerability in sendmail offers the opportunity to see how quickly and effectively the cyber defense community, led by this new Department, can respond to important threats.
Sendmail's vulnerability offers a legitimate test because sendmail handles a large amount of Internet mail traffic and is installed on at least 1.5 million Internet-connected systems. More than half of the large ISPs and Fortune 500 companies use sendmail, as do tens of thousands of other organizations. A security hole in sendmail affects a lot of people and demands their immediate attention.
You can draw your own conclusion on how well the problem is being handled. Here are the facts:
1. On Friday, February 14, telephone calls to the Department of Homeland Security (DHS) and the White House Office of Cyberspace Security alerted the US government to a suspected sendmail vulnerability. The source of the data was Internet Security Systems (ISS), a well-respected security firm with solid security research credentials, giving the data an initial base level of credibility. However, to be more certain, DHS technical experts reviewed the details of the vulnerability and especially the tests that ISS had run to prove the existence and severity of the vulnerability. They were convinced.
2. Almost immediately the DHS/White House team, working with ISS, contacted vendors that distribute sendmail, including Sun, IBM, HP, and SGI, as well as the Sendmail Consortium, the organization that develops the open source version of sendmail that is the core of sendmail distributed with both free and commercial operating systems. Partially because of government involvement, but primarily because the vulnerability involved the widely used sendmail package, the vendors immediately started working together on patches.
3. The DHS/White House staff contacted and shared what they knew with the US Department of Defense and the Federal CIO Council. Through the Federal CIO Council, the US FedCIRC and US Office of Management and Budget were added to the coordinating team. Together the government planners, ISS, and the vendors developing patches worked out a plan for public dissemination of the vulnerability information and patch distribution.
4. To help ensure that the open source LINUX and BSD distributions (Red Hat, SUSE, OpenBSD, etc.) developed patches, the Computer Emergency Response Team at Carnegie Mellon University (CERT/CC) was brought into the project. CERT/CC deployed its formalized process to inform the LINUX and BSD distribution developers and to assist them in getting the corrected source code and any additional knowledge needed to create the patch. CERT/CC (which is funded, in part, by two organizations being merged into DHS and by the DoD) also created an advisory to educate system administrators and the security community in general on the vulnerability, on which systems are affected, and on where to get the patches for each affected system.
5. Some of the large commercial vendors developed the patches very quickly, but the delayed notice to smaller sources of sendmail distributions and limited resources at those organizations meant that not all the patches would be ready by early in the week of February 23. The coordinating group faced a decision of whether to release data about the exploit before most patches were ready or to wait. The answer depended on whether they had reason to believe an exploit was already being used by attackers. They had two sources of information that led them to conclude waiting an extra week was acceptable. First, people who monitored the hacker discussion groups reported that this vulnerability did not seem to be one that was being discussed. Second, the organization that discovered the vulnerability, ISS, had deployed sensors for the exploit in a number of places around the world. Those sensors were showing no exploits. Based on both sets of data, the coordination group decided to schedule the announcement for Monday, March 3. A second-order reason to schedule a Monday announcement was that some members of the team believed that Monday-Tuesday announcements generate more rapid and complete patching than announcements made late in the week.
6. Since some of the patches were ready, the coordination group decided to provide what was available to the US DoD so that military sites could have the protection as early as possible. The military distributions took place on or around February 25 and 26.
7. On February 27 and 28, government groups in the US and in several other countries were given early warnings, without details about how the vulnerability could be exploited, to help them plan for rapid deployment of the patches when they were released on March 3. In addition to the Chief Information Officers of US Cabinet level departments, and the directors or deputy directors of national cyber security offices in several other countries, the officers of the critical infrastructure Information Sharing And Analysis Centers (ISACs) were also briefed so they could be ready for rapid information distribution to commercial organizations such as banks and utilities, that comprise the critical infrastructure.
8. On March 3, beginning about 10 am EST, alerts began flowing to federal agencies from FedCIRC and to the critical infrastructure companies from the ISACs. At noon, ISS released their advisory, followed by CERT/CC's general release. Once the data was public, the SANS Institute also issued a release and scheduled free web-based education programs.
=3D=3D=3D=3D
DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability=20
The Department of Homeland Security (DHS), National Infrastructure Protection Center (NIPC) has been informed of a recently discovered serious vulnerability in Snort, a widely used Intrusion Detection System, IDS. DHS/NIPC has been working closely with the Internet security industry on vulnerability awareness and is issuing this advisory in conjunction with public announcements.
Snort is available in open source and commercial versions form Sourcefire, a privately held company headquartered in Columbia, MD. Details are available from Sourcefire. See Snort Vulnerability Advisory [SNORT-2003-001]. The affected Snort versions include all version of Snort from version 1.8 through current. Snort 1.9.1 has been released to resolve this issue.
The vulnerability was discovered by Internet Security Systems (ISS), and is a buffer overflow in the Snort Remote Procedure Call, RPC, normalization routines. This buffer overflow can cause snort to execute arbitrary code embedded within sniffed network packets. Depending upon the particular implementation of Snort this may give local and remote users almost complete control of a vulnerable machine. The vulnerability is enabled by default. Mitigation instructions for immediate protections prior to installing patches or upgrading are described in the Snort Vulnerability Advisory.
Due to the seriousness of this vulnerability, the DHS/NIPC strongly recommends that system administrators or security managers who employ Snort take this opportunity to review their security procedures and patch or upgrade software with known vulnerabilities.
Sourcefire has acquired additional bandwidth and hosting to aid users wishing to upgrade their Snort implementation. Future information can be found at: http://www.sourcefire.com/
As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates and to check for alerts put out by the DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch-at-fbi.gov.
=3D=3D end =3D=3D
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+Y50j+LUG5KFpTkYRAnk8AJ9Uicv/85eza2mZ+EVSzZftbb/yAwCfdGyE pBIkIyFSXEJInvr9ZThdYTU=3D =3DcRn4 -----END PGP SIGNATURE-----
----- End forwarded message -----
--=20 "Silly hacker, root is for administrators" - Unknown
GnuPG Key : 11C2 79F6 BD3D 3A86 5640 3DA0 3860 B30E 711D 3B66
--o99acAvKqrTZeiCU Content-Type: application/pgp-signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+Y6pFOGCzDnEdO2YRAq7QAJ9Azz/Mna260vXe3sKY3BzF3RAGKgCeI6F9 rXGZ0qIbbJpLzje2OMrulzg= =uPfU -----END PGP SIGNATURE-----
--o99acAvKqrTZeiCU--
>From owner-hangout-at-mrbrklyn.com Mon Mar 3 14:23:39 2003 Received: from www2.mrbrklyn.com (localhost [127.0.0.1]) by mrbrklyn.com (8.12.3/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id h23JNd8X018038 for ; Mon, 3 Mar 2003 14:23:39 -0500 Received: (from mdom-at-localhost) by www2.mrbrklyn.com (8.12.3/8.12.3/Submit) id h23JNdRf018037; Mon, 3 Mar 2003 14:23:39 -0500 Date: Mon, 3 Mar 2003 14:23:39 -0500 From: owner-hangout-at-mrbrklyn.com Message-Id: <200303031923.h23JNdRf018037-at-www2.mrbrklyn.com> X-Authentication-Warning: www2.mrbrklyn.com: mdom set sender to owner-hangout-at-www2.mrbrklyn.com using -f To: ruben-at-mrbrklyn.com Subject: BOUNCE hangout-at-www2.mrbrklyn.com: Non-member submission from ["Adam Kosmin" ] Status: RO Content-Length: 19485 Lines: 435
>From owner-hangout-at-mrbrklyn.com Mon Mar 3 14:23:39 2003 Received: from mail.med.cornell.edu (mail.med.cornell.edu [140.251.3.3]) by mrbrklyn.com (8.12.3/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id h23JNc8X018032 for ; Mon, 3 Mar 2003 14:23:38 -0500 Received: from koz ([140.251.195.17]) by mail.med.cornell.edu (Netscape Messaging Server 3.6) with ESMTP id AAA3F2C2 for ; Mon, 3 Mar 2003 14:25:53 -0500 Received: from akosmin by koz with local (Exim 3.36 #1 (Debian)) id 18pvRF-00068b-00 for ; Mon, 03 Mar 2003 14:17:25 -0500 Date: Mon, 3 Mar 2003 14:17:25 -0500 To: hangout-at-nylxs.com Subject: (fwd) SANS Alert - Critical Vulnerability in Sendmail and a Snort Vulnerability Message-ID: <20030303191725.GR23291-at-koz.nyp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="o99acAvKqrTZeiCU" Content-Disposition: inline User-Agent: Mutt/1.5.3i From: "Adam Kosmin"
--o99acAvKqrTZeiCU Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: quoted-printable
----- Forwarded message from The SANS Institute -----
Subject: SANS Alert - Critical Vulnerability in Sendmail and a Snort Vulner= ability =46rom: The SANS Institute To: Adam Kosmin (SD646867)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SANS Alert 2003-03-03 Critical vulnerability in all versions of SENDMAIL Plus a Snort Vulnerability
And an invitation to a web broadcast on the vulnerabilities (SANS Alumni get a two hour window to register before the Invitation goes to others)
The Sendmail Vulnerability What systems are affected? UNIX and Linux Systems running sendmail - probably even those that are not mail servers. Level: CRITICAL - affords root or superuser access
A new critical vulnerability has been discovered in Sendmail. The UNIX and Linux vendors have been working feverishly to get a patch ready and most are available now. Sendmail is too big a target for attackers to ignore, so it makes sense to act immediately to protect your systems.
In this note you will find: (1) The invitation to the webcast (SANS alumni get a two hour head start for registering and only 2,000 people can be accommodated) covering both vulnerabilities (2) The ISS advisory on the new vulnerability and where to find patches (3) A description of what government and industry did to try to mitigate damage from this newly discovered vulnerability. (4) The Department of Homeland Security Alert on the Snort Vulnerability
******************************************************** SANS Web Broadcast (free) on the Sendmail Vulnerability and the Snort=20 Vulnerability
Date: March 3, 2003 (today) Time: 7 PM EST (0000 UTC) Register at: http://www.sans.org/webcasts/030303.php=20 There is an absolute limit of 2,000 people on the live program to ensure quality audio, but the archive will be available about 5 hours later for anyone who does not get a reservation.
Featuring the ISS X-Force folks (ISS discovered the vulnerability), Hal Pomeranz (sendmail expert) and Marty Roesch, author of Sendmail, will brief you on the Snort vulnerability.
Below you'll find the ISS advisory followed by a brief description of what happened behind the scenes inside the Department of Homeland Security.
*********************************************************************** Here=92s the ISS advisory
Internet Security Systems Security Advisory March 3, 2003
Remote Sendmail Header Processing Vulnerability
Synopsis:
ISS X-Force has discovered a buffer overflow vulnerability in the Sendmail Mail Transfer Agent (MTA). Sendmail is the most common MTA and has been documented to handle between 50% and 75% of all Internet email traffic.
Impact:
Attackers may remotely exploit this vulnerability to gain "root" or superuser control of any vulnerable Sendmail server. Sendmail and all other email servers are typically exposed to the Internet in order to send and receive Internet email. Vulnerable Sendmail servers will not be protected by legacy security devices such as firewalls and/or packet filters. This vulnerability is especially dangerous because the exploit can be delivered within an email message and the attacker doesn't need any specific knowledge of the target to launch a successful attack.
Affected Versions:
Sendmail versions from 5.79 to 8.12.7 are vulnerable
Note: The affected versions of Sendmail commercial, Sendmail open source running on all platforms are known to be vulnerable.
Description:
The Sendmail remote vulnerability occurs when processing and evaluating header fields in email collected during an SMTP transaction. Specifically, when fields are encountered that contain addresses or lists of addresses (such as the "From" field, "To" field and "CC" field), Sendmail attempts to semantically evaluate whether the supplied address (or list of addresses) are valid. This is accomplished using the crackaddr() function, which is located in the headers.c file in the Sendmail source tree.
A static buffer is used to store data that has been processed. Sendmail detects when this buffer becomes full and stops adding characters, although it continues processing. Sendmail implements several security checks to ensure that characters are parsed correctly. One such security check is flawed, making it possible for a remote attacker to send an email with a specially crafted address field that triggers a buffer overflow.
X-Force has demonstrated that this vulnerability is exploitable in real- world conditions on production Sendmail installations. This vulnerability is readily exploitable on x86 architecture systems, and may be exploitable on others as well.
Protection mechanisms such as implementation of a non-executable stack do not offer any protection from exploitation of this vulnerability. Successful exploitation of this vulnerability does not generate any log entries.
[removed ISS product-specific information which may be found at https://gtoc.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=3D21950]
For Manual Protection, the affected vendor has offered the following recommendations:
Sendmail urges all users to either upgrade to Sendmail 8.12.8 or apply a patch for 8.12.x (or for older versions). Updates can be downloaded =66rom ftp.sendmail.org or any of its mirrors (try a mirror near to you first), see http://www.sendmail.org/ for details. Remember to check the PGP signatures of patches or releases obtained. For those not running the open source version, check with your vendor for a patch. Sendmail, Inc., the commercial provider of the sendmail MTA, is providing a binary patch for their commercial customers. The patch can be downloaded from Sendmail's Web site at: http://www.sendmail.com/
Sendmail versions that are patched will record the following log entry when exploitation is attempted: "Dropped invalid comments from header address".
Vendor Notification Schedule:
Initial vendor notification: 1/13/2003 Initial vendor confirmation: 1/13/2003 Final release schedule confirmation: 1/31/2003
ISS X-Force worked with Sendmail throughout the notification and release process. X-Force would like to thank Sendmail for their cooperation as well as the National Infrastructure Protection Center (NIPC) for coordinating this issue with elements of National critical infrastructure.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2002-1337 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org), which standardizes names for security problems.
If you are a RealSecure Server Sensor customer, please email Support-at-iss.net for additional protection information. Please enter the words "Server Sensor - Sendmail" in the subject line of your email.
X-Force Database http://www.iss.net/security_center/static/10748.php
For more information on ISS methodology and procedures involved in Security Advisory publication, please review the X-Force Vulnerability Disclosure Guidelines document: http://documents.iss.net/literature/vulnerability_guidelines.pdf
Credit:
This vulnerability was discovered and researched by Mark Dowd of the ISS X-Force.
=3D=3D=3D=3D
Background on government/industry cooperation to mitigate damage
Sendmail
The Sendmail Vulnerability Announced Today, March 3, 2003 How Well Did The Cyber Defense Community Do?
Today, hundreds of thousands of people learned of a vulnerability in the sendmail program which is widely used for Internet mail handling. A vulnerability in such a widely used open source software program presents difficult challenges for the cyber defense community - including the need to get more than twenty different software organizations to act quickly and silently to develop patches.
Three primary actions are required to respond effectively to such a vulnerability:
1. Verify that the vulnerability exists and is important. 2. Contact the key technical personnel at each of the software companies and other groups that distribute sendmail (either alone or with other software) and ensure that they develop and test patches and make them ready for widespread distribution. 3. Plan and execute an early warning and distribution strategy that enables critical infrastructure organizations in the US and in partner countries to be prepared for rapid deployment of the patches once they are ready.=A0 This must be accomplished without leaking data about the vulnerability to the black hat community that exploits such vulnerabilities by creating worms like Code Red, Slapper, and Slammer.
When possible, several other actions may be appropriate:=20
4. Provide military and other very sensitive organizations with early access to the patches so their systems can be protected even before public disclosure of the vulnerability. 5. Use sensor networks with smart filters to test for exploitation. 6. Develop and distribute filters that can block the offending packets to protect systems that cannot or will not install patches immediately.
On Saturday, March 1, 2003, the US Department of Homeland Security became fully operational, although the elements of the new department had been working together for several weeks.=A0 In cybersecurity, the new Department brings together four highly visible cybersecurity agencies: (1) The National Infrastructure Protection Center from the FBI, (2) FedCIRC from the General Services Administration, (3) the National Communications System program from the US Department of Defense, and (4) the Critical Infrastructure Assurance Office from the Department of Commerce.
Today's disclosure of a vulnerability in sendmail offers the opportunity to see how quickly and effectively the cyber defense community, led by this new Department, can respond to important threats.
Sendmail's vulnerability offers a legitimate test because sendmail handles a large amount of Internet mail traffic and is installed on at least 1.5 million Internet-connected systems. More than half of the large ISPs and Fortune 500 companies use sendmail, as do tens of thousands of other organizations. A security hole in sendmail affects a lot of people and demands their immediate attention.
You can draw your own conclusion on how well the problem is being handled. Here are the facts:
1. On Friday, February 14, telephone calls to the Department of Homeland Security (DHS) and the White House Office of Cyberspace Security alerted the US government to a suspected sendmail vulnerability. The source of the data was Internet Security Systems (ISS), a well-respected security firm with solid security research credentials, giving the data an initial base level of credibility. However, to be more certain, DHS technical experts reviewed the details of the vulnerability and especially the tests that ISS had run to prove the existence and severity of the vulnerability. They were convinced.
2. Almost immediately the DHS/White House team, working with ISS, contacted vendors that distribute sendmail, including Sun, IBM, HP, and SGI, as well as the Sendmail Consortium, the organization that develops the open source version of sendmail that is the core of sendmail distributed with both free and commercial operating systems. Partially because of government involvement, but primarily because the vulnerability involved the widely used sendmail package, the vendors immediately started working together on patches.
3. The DHS/White House staff contacted and shared what they knew with the US Department of Defense and the Federal CIO Council. Through the Federal CIO Council, the US FedCIRC and US Office of Management and Budget were added to the coordinating team. Together the government planners, ISS, and the vendors developing patches worked out a plan for public dissemination of the vulnerability information and patch distribution.
4. To help ensure that the open source LINUX and BSD distributions (Red Hat, SUSE, OpenBSD, etc.) developed patches, the Computer Emergency Response Team at Carnegie Mellon University (CERT/CC) was brought into the project. CERT/CC deployed its formalized process to inform the LINUX and BSD distribution developers and to assist them in getting the corrected source code and any additional knowledge needed to create the patch. CERT/CC (which is funded, in part, by two organizations being merged into DHS and by the DoD) also created an advisory to educate system administrators and the security community in general on the vulnerability, on which systems are affected, and on where to get the patches for each affected system.
5. Some of the large commercial vendors developed the patches very quickly, but the delayed notice to smaller sources of sendmail distributions and limited resources at those organizations meant that not all the patches would be ready by early in the week of February 23. The coordinating group faced a decision of whether to release data about the exploit before most patches were ready or to wait. The answer depended on whether they had reason to believe an exploit was already being used by attackers. They had two sources of information that led them to conclude waiting an extra week was acceptable. First, people who monitored the hacker discussion groups reported that this vulnerability did not seem to be one that was being discussed. Second, the organization that discovered the vulnerability, ISS, had deployed sensors for the exploit in a number of places around the world. Those sensors were showing no exploits. Based on both sets of data, the coordination group decided to schedule the announcement for Monday, March 3. A second-order reason to schedule a Monday announcement was that some members of the team believed that Monday-Tuesday announcements generate more rapid and complete patching than announcements made late in the week.
6. Since some of the patches were ready, the coordination group decided to provide what was available to the US DoD so that military sites could have the protection as early as possible. The military distributions took place on or around February 25 and 26.
7. On February 27 and 28, government groups in the US and in several other countries were given early warnings, without details about how the vulnerability could be exploited, to help them plan for rapid deployment of the patches when they were released on March 3. In addition to the Chief Information Officers of US Cabinet level departments, and the directors or deputy directors of national cyber security offices in several other countries, the officers of the critical infrastructure Information Sharing And Analysis Centers (ISACs) were also briefed so they could be ready for rapid information distribution to commercial organizations such as banks and utilities, that comprise the critical infrastructure.
8. On March 3, beginning about 10 am EST, alerts began flowing to federal agencies from FedCIRC and to the critical infrastructure companies from the ISACs. At noon, ISS released their advisory, followed by CERT/CC's general release. Once the data was public, the SANS Institute also issued a release and scheduled free web-based education programs.
=3D=3D=3D=3D
DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability=20
The Department of Homeland Security (DHS), National Infrastructure Protection Center (NIPC) has been informed of a recently discovered serious vulnerability in Snort, a widely used Intrusion Detection System, IDS. DHS/NIPC has been working closely with the Internet security industry on vulnerability awareness and is issuing this advisory in conjunction with public announcements.
Snort is available in open source and commercial versions form Sourcefire, a privately held company headquartered in Columbia, MD. Details are available from Sourcefire. See Snort Vulnerability Advisory [SNORT-2003-001]. The affected Snort versions include all version of Snort from version 1.8 through current. Snort 1.9.1 has been released to resolve this issue.
The vulnerability was discovered by Internet Security Systems (ISS), and is a buffer overflow in the Snort Remote Procedure Call, RPC, normalization routines. This buffer overflow can cause snort to execute arbitrary code embedded within sniffed network packets. Depending upon the particular implementation of Snort this may give local and remote users almost complete control of a vulnerable machine. The vulnerability is enabled by default. Mitigation instructions for immediate protections prior to installing patches or upgrading are described in the Snort Vulnerability Advisory.
Due to the seriousness of this vulnerability, the DHS/NIPC strongly recommends that system administrators or security managers who employ Snort take this opportunity to review their security procedures and patch or upgrade software with known vulnerabilities.
Sourcefire has acquired additional bandwidth and hosting to aid users wishing to upgrade their Snort implementation. Future information can be found at: http://www.sourcefire.com/
As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates and to check for alerts put out by the DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch-at-fbi.gov.
=3D=3D end =3D=3D
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+Y50j+LUG5KFpTkYRAnk8AJ9Uicv/85eza2mZ+EVSzZftbb/yAwCfdGyE pBIkIyFSXEJInvr9ZThdYTU=3D =3DcRn4 -----END PGP SIGNATURE-----
----- End forwarded message -----
--=20 "Silly hacker, root is for administrators" - Unknown
GnuPG Key : 11C2 79F6 BD3D 3A86 5640 3DA0 3860 B30E 711D 3B66
--o99acAvKqrTZeiCU Content-Type: application/pgp-signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+Y6pFOGCzDnEdO2YRAq7QAJ9Azz/Mna260vXe3sKY3BzF3RAGKgCeI6F9 rXGZ0qIbbJpLzje2OMrulzg= =uPfU -----END PGP SIGNATURE-----
--o99acAvKqrTZeiCU--
____________________________ NYLXS: New Yorker Free Software Users Scene Fair Use - because it's either fair use or useless.... NYLXS is a trademark of NYLXS, Inc
|
|