Hi Lisa, I absolutely agree with you that this is a major vulnerability. But the following was included in the release notes for xpu 20.9:
10748 SMTP_Sendmail_Header_Parse_Overflow Unauthorized Access Attempt High IMHO this is already a bit too much information for the release in a Public Mailinglist. Everyone who is reading the issforum list did have the knowledge about the vulnerable daemon (sendmail) and the part which is vulnerable (the SMTP header parsing code). And as sendmail is open source I think 6 weeks is enough to find the vulnerable code segment in the sendmail code and maybe even enough time to write an exploit BEFORE any vendor released informations or patches about the vulnerability. I use RealSecure since a couple of years and I really like it, but I think if such a major vulnerability is found it should not be made public in any way till an official vendor advisory is released. Regards Bjoern -----Original Message----- From: Washburn, Lisa (ISSAtlanta) [mailto:[EMAIL PROTECTED] Sent: Monday, March 03, 2003 11:31 PM To: Bj�rn Fr�be; [EMAIL PROTECTED] Subject: RE: [ISSForum] ISS Security Brief: Remote Sendmail Header Processing Vulnerability Per ISS' vulnerability disclosure guidelines, we contact the vendor once we discover a vulnerability like this one, and we work with that vendor to establish a timely release for the advisory. If we don't already have protection in our software for the particular vulnerability, we will release protection as soon as possible, but we will not divulge specifics about the vulnerability until the release of the advisory. For more information, please reference:http://documents.iss.net/literature/vulnerability_guidelines.pdf Thanks, Lisa Washburn Product Manager -----Original Message----- From: Bj�rn Fr�be [mailto:[EMAIL PROTECTED] Sent: Monday, March 03, 2003 1:49 PM To: [EMAIL PROTECTED] Subject: RE: [ISSForum] ISS Security Brief: Remote Sendmail Header Processing Vulnerability Hi, as the RS signature was included in XPU 20.9 (released in January) why was the "official" advisory held back till now? Regards Bjoern -----Original Message----- From: X-Force [mailto:[EMAIL PROTECTED] Posted At: Monday, March 03, 2003 5:53 PM Posted To: ISS Mailingliste Conversation: [ISSForum] ISS Security Brief: Remote Sendmail Header Processing Vulnerability Subject: [ISSForum] ISS Security Brief: Remote Sendmail Header Processing Vulnerability *** PGP Signature Status: unknown *** Signer: Unknown, Key ID = 0x7DF5E1BD *** Signed: 03.03.2003 17:52:20 *** Verified: 04.03.2003 07:38:47 *** BEGIN PGP VERIFIED MESSAGE *** Internet Security Systems Security Brief March 3, 2002 Remote Sendmail Header Processing Vulnerability Synopsis: ISS X-Force has discovered a buffer overflow vulnerability in the Sendmail Mail Transfer Agent (MTA). Sendmail is the most common MTA and has been documented to handle between 50% and 75% of all Internet email traffic. Impact: Attackers may remotely exploit this vulnerability to gain "root" or superuser control of any vulnerable Sendmail server. Sendmail and all other email servers are typically exposed to the Internet in order to send and receive Internet email. Vulnerable Sendmail servers will not be protected by legacy security devices such as firewalls and/or packet filters. This vulnerability is especially dangerous because the exploit can be delivered within an email message and the attacker doesn't need any specific knowledge of the target to launch a successful attack. Affected Versions: Sendmail versions from 5.79 to 8.12.7 are vulnerable Note: The affected versions of Sendmail commercial, Sendmail open source running on all platforms are known to be vulnerable. For the complete ISS X-Force Security Advisory, please visit: http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email [EMAIL PROTECTED] for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force [EMAIL PROTECTED] of Internet Security Systems, Inc. *** END PGP VERIFIED MESSAGE *** _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
