Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» OpenPKG » Sendmail remote code execution

Sendmail remote code execution

According to a vendor security advisory based on research by from Mark Dowd of ISS X-Force, a vulnerability exists in the Sendmail MTA. Under some specific timing conditions, the vulnerability may permit a specifically crafted attack to take over the "sendmail" MTA process, allowing remote attackers to execute commands and run arbitrary programs on the system running the MTA, affecting email delivery, or tampering with other programs and data on this system.

  • Vendor: OpenPKG
  • Vendor ID: SA-2006.007
  • Date: March 22, 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[email protected] [email protected]
OpenPKG-SA-2006.007 22-Mar-2006
________________________________________________________________________

Package: sendmail
Vulnerability: remote code execution
OpenPKG Specific: no

Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= sendmail-8.13.5-20060219 >= sendmail-8.13.6-20060322
OpenPKG 2.5 <= sendmail-8.13.5-2.5.0 >= sendmail-8.13.5-2.5.1
OpenPKG 2.4 <= sendmail-8.13.4-2.4.0 >= sendmail-8.13.4-2.4.1
OpenPKG 2.3 <= sendmail-8.13.3-2.3.0 >= sendmail-8.13.3-2.3.1

Description:
According to a vendor security advisory [0] based on research by from
Mark Dowd of ISS X-Force, a vulnerability exists in the Sendmail MTA
[1]. Under some specific timing conditions, the vulnerability may
permit a specifically crafted attack to take over the "sendmail"
MTA process, allowing remote attackers to execute commands and run
arbitrary programs on the system running the MTA, affecting email
delivery, or tampering with other programs and data on this system.
The Common Vulnerabilities and Exposures (CVE) project assigned the id
CVE-2006-0058 [2] to the problem.
________________________________________________________________________

References:
[0] http://www.sendmail.com/company/advisory/index.shtml
[1] http://www.sendmail.org/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG

iD8DBQFEIZ0ZgHWT4GPEy58RAq5gAKC8QqDZjjZWySX5yoLTK/F+T9WH7QCfR0Sf
bHZpRrZz7O6x3c9gNVtFdFw=
=UOQR
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »