Users login

Create an account »


Users login

Home » Hacking News » Admins Urged To Upgrade Sendmail

Admins Urged To Upgrade Sendmail

by Phiber on August 25th, 2001 Security experts and vendors of Linux and other Unix-like operating systems are urging network administrators to replace some versions of popular e-mail server software known as Sendmail, because the most recent open-source versions can provide a doorway for local hackers. Since malicious individuals would need to gain command-line access to a server in order to exploit the vulnerability, the problem is greatest for organizations such as Internet service providers or universities that regularly provide shell access to users.

Cade Cairns, a member of the Security Focus Threat Analysis Team, reported late last week that hackers with access to run Sendmail from the command line of vulnerable systems could possibly gain administrator access to the server by supplying specially crafted commands. Since then, others have written software to demonstrate how hackers could automate the process of exploiting the vulnerability, which exists when Sendmail is commanded to run in "debug" mode.

"To exploit this vulnerability, an attacker must have the ability to pass command-line arguments to the Sendmail program," Cairns told Newsbytes. "Therefore, the attack must be performed using some sort of interface allowing system commands to be issued --- typically a shell, or perhaps even through a web interface of some sort."

Cairns said some service providers may allow Web authors to write and upload scripts that can access Sendmail. Sendmail, ubiquitous on the Internet as a staple of Unix server configurations since the early 1980s, is available in an open- source incarnation from the Sendmail Consortium, whose software is bundled with a variety of Unix and Linux distributions and can be downloaded from the consortium's Web site. Cairns reported that the vulnerability was present in releases of the consortium's Sendmail versions above 8.10.0 and through 8.11.5 and in all beta versions of 11.12.0.

The consortium has since released a fixed version of the software (version 8.11.6) and a more-secure beta (8.12.0.Beta19). Additionally, some providers of Linux distributions, including SuSE and Conectiva, have already released packaged fixes containing the improved version of Sendmail.
- Cairns said the debug-mode vulnerability was reminiscent of one fixed in 1994. He added that the new bug was the first security hole found in Sendmail since 1997.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »