__________________________________________________________
	
	                       The U.S. Department of Energy
	                   Computer Incident Advisory Capability
	                           ___  __ __    _     ___
	                          /       |     /_\   /
	                          \___  __|__  /   \  \___
	             __________________________________________________________
	
	                             INFORMATION BULLETIN
	
	                       Sendmail(1) Security Vulnerability
	                             [Sun Alert ID: 57696]
	
	December 15, 2004 17:00 GMT                                       Number P-059
	______________________________________________________________________________
	PROBLEM:       There is a security vulnerability when sendmail(1) does not 
	               check length of DNS replies. 
	PLATFORM:      SPARC Platform Solaris 9 without patch 113575-01 
	DAMAGE:        A buffer overflow in the sendmail(1M) daemon. 
	SOLUTION:      Upgrade to the appropriate version. 
	______________________________________________________________________________
	VULNERABILITY  The risk is LOW. A local or remote unprivileged user may have 
	ASSESSMENT:    the ability to gain unauthorized root access or create a DoS.
	               To be successful, exploit requires sendmail to point to an 
	               already compromised DNS server.  
	______________________________________________________________________________
	LINKS: 
	 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/p-059.shtml 
	 ORIGINAL BULLETIN:  Sun Alert ID: 57696                                                         
	                     http://www.sunsolve.sun.com/search/document.do?assetkey=
	                       1-26-57696-1&searchclause=%22category:security%22%20%22
	                       availability,%20security%22 
	______________________________________________________________________________
	[***** Start Sun Alert ID: 57696 *****]
	
	Sun(sm) Alert Notification 
	
	Sun Alert ID: 57696 
	Synopsis: Security Vulnerability When sendmail(1) Does Not Check Length of DNS 
	  Replies 
	Category: Security 
	Product: Solaris 
	BugIDs: 4704672 
	Avoidance: Patch 
	State: Resolved 
	Date Released: 08-Dec-2004 
	Date Closed: 08-Dec-2004 
	Date Modified: 
	
	1. Impact A local or remote unprivileged user may have the ability to gain 
	unauthorized root access or create a Denial of Service (DoS) condition due to 
	a buffer overflow in the sendmail(1M) daemon. 
	
	This issue is described in CERT Vulnerability Note VU#814627 at 
	http://www.kb.cert.org/vuls/id/814627. 
	
	2. Contributing Factors This issue can occur in the following release: 
	
	SPARC Platform 
	
	*  Solaris 9 without patch 113575-01 
	
	Notes: 
	
	1.  Solaris 7 and 8 on the SPARC platform are not affected by this issue. 
	2.  Solaris 7, 8, and 9 on the x86 Platform are not affected by this issue. 
	
	The following two conditions must be present to exploit these vulnerabilities: 
	
		*  sendmail(1M) must be configured to reference DNS TXT records 
		*  when sendmail is looking up a TXT record through a DNS server, that 
	       lookup would have to go to a DNS server that has been compromised 
	
	To determine if a system is configured to reference DNS TXT records, the 
	following command can be run: 
	
	    $ grep TXT /etc/mail/sendmail.cf
	    Kdnstxt dns -R TXT                       
		
	If no output was generated after running the above command then the system 
	is not at risk. (The output above is only one example and may vary). Also 
	note that the default sendmail(1M) configuration file does not specify TXT 
	records. 
	
	A Denial of Service condition may exist if the sendmail(1M) daemon is no 
	longer running, which can be determined by running the following command: 
	
	    $ /usr/bin/ps -ef | grep sendmail
	    root 336 1 0 Jan 20 ? 0:03 /usr/lib/sendmail -bd -q15m                        
		
	3. Symptoms There are no reliable symptoms that would indicate the described 
	issue has been exploited to gain unauthorized root access to a host. 
	
	A Denial of Service condition is present if the sendmail(1M) daemon is no 
	longer running. 
	
	Solution Summary Top 
	4. Relief/Workaround Until the appropriate patch can be applied, sites may 
	wish to block access to the affected service from untrusted networks such 
	as the Internet, or disabling the daemon where possible. Use of a firewall 
	or other packet-filtering technology may be necessary to block the 
	appropriate network ports. Consult your vendor or your firewall 
	documentation for detailed instructions on how to configure the ports. 
	
	To disable sendmail(1M) the following command can be executed (as "root"): 
	
	    # /etc/init.d/sendmail stop                        
		
	This will prevent the system from receiving e-mail messages until sendmail(1M) 
	is started again with the following command: 
	
	    # /etc/init.d/sendmail start                        
		
	5. Resolution This issue is addressed in the following release: 
	
	SPARC Platform 
	
	*  Solaris 9 with patch 113575-01 or later 
	
	This Sun Alert notification is being provided to you on an "AS IS" basis. This 
	Sun Alert notification may contain information provided by third parties. The 
	issues described in this Sun Alert notification may or may not impact your 
	system(s). Sun makes no representations, warranties, or guarantees as to the 
	information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, 
	INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 
	PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING 
	THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY 
	DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE 
	OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun 
	Alert notification contains Sun proprietary and confidential information. It 
	is being provided to you pursuant to the provisions of your agreement to 
	purchase services from Sun, or, if you do not have such an agreement, the 
	Sun.com Terms of Use. This Sun Alert notification may only be used for the 
	purposes contemplated by these agreements. 
	
	Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, 
	CA 95054 U.S.A. All rights reserved. 
	
	
	
	[***** End Sun Alert ID: 57696 *****]
	_______________________________________________________________________________
	
	CIAC wishes to acknowledge the contributions of Sun Microsystems for the 
	information contained in this bulletin.
	_______________________________________________________________________________
	
	
	CIAC, the Computer Incident Advisory Capability, is the computer
	security incident response team for the U.S. Department of Energy
	(DOE) and the emergency backup response team for the National
	Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
	National Laboratory in Livermore, California. CIAC is also a founding
	member of FIRST, the Forum of Incident Response and Security Teams, a
	global organization established to foster cooperation and coordination
	among computer security teams worldwide.
	
	CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
	can be contacted at:
	    Voice:    +1 925-422-8193 (7x24)
	    FAX:      +1 925-423-8002
	    STU-III:  +1 925-423-2604
	    E-mail:   ciac@ciac.org
	
	Previous CIAC notices, anti-virus software, and other information are
	available from the CIAC Computer Security Archive.
	
	   World Wide Web:      http://www.ciac.org/
	   Anonymous FTP:       ftp.ciac.org
	
	PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
	communities receive CIAC bulletins.  If you are not part of these
	communities, please contact your agency's response team to report
	incidents. Your agency's team will coordinate with CIAC. The Forum of
	Incident Response and Security Teams (FIRST) is a world-wide
	organization. A list of FIRST member organizations and their
	constituencies can be obtained via WWW at http://www.first.org/.
	
	This document was prepared as an account of work sponsored by an
	agency of the United States Government. Neither the United States
	Government nor the University of California nor any of their
	employees, makes any warranty, express or implied, or assumes any
	legal liability or responsibility for the accuracy, completeness, or
	usefulness of any information, apparatus, product, or process
	disclosed, or represents that its use would not infringe privately
	owned rights. Reference herein to any specific commercial products,
	process, or service by trade name, trademark, manufacturer, or
	otherwise, does not necessarily constitute or imply its endorsement,
	recommendation or favoring by the United States Government or the
	University of California. The views and opinions of authors expressed
	herein do not necessarily state or reflect those of the United States
	Government or the University of California, and shall not be used for
	advertising or product endorsement purposes.
	
	LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
	
	P-049: Apple Security Update 2004-12-02
	P-050: "in.rwhod" Daemon Vulnerability
	P-051: SMB Password Disclosure
	P-052: Updated imlib Packages Fix Security Vulnerabilities
	P-053: Microsoft DHCP Vulnerabilities
	P-054: Microsoft WINS Vulnerability
	P-055: Microsoft WordPad Vulnerability
	P-056: Microsoft HyperTerminal Vulnerability
	P-057: Microsoft Windows Kernel and LSASS Vulnerabilities
	P-058: Sun Java System Web and Application Server Security Vulnerability