--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SANS Alert 2003-03-03
Critical vulnerability in all versions of SENDMAIL
Plus a Snort Vulnerability
And an invitation to a web broadcast on the vulnerabilities
The Sendmail Vulnerability
What systems are affected? UNIX and Linux Systems running sendmail -
probably even those that are not mail servers.
Level: CRITICAL - affords root or superuser access when sendmail is
running with those privileges.
A new critical vulnerability has been discovered in Sendmail. The UNIX
and Linux vendors have been working feverishly to get a patch ready and
most are available now. Sendmail is too big a target for attackers to
ignore, so it makes sense to act immediately to protect your systems.
In this note you will find:
(1) The invitation to the webcast covering both vulnerabilities
(2) DHS/NIPC Advisory 03-004 Remote Sendmail Header Processing
Vulnerability
(3) A description of what government and industry did to try to
mitigate damage from this newly discovered vulnerability.
(4) The Department of Homeland Security Alert on the Snort
Vulnerability
********************************************************
SANS Web Broadcast (free) on the Sendmail Vulnerability and the
Snort Vulnerability
Date: March 3, 2003 (today)
Time: 7 PM EST (0000 UTC)
Register at: http://www.sans.org/webcasts/030303.php
There is an absolute limit of 2,000 people on the live program to
ensure quality audio, but the archive will be available about 5 hours
later for anyone who does not get a reservation.
Featuring the ISS X-Force folks (ISS discovered the vulnerability),
Hal Pomeranz (sendmail expert) and Marty Roesch, author of Snort,
will brief you on the Snort vulnerability.
Below you'll find the Department of Homeland Security advisory followed
by a brief description of what happened behind the scenes inside the
government followed by the DHS Snort vulnerability alert.
***********************************************************************
Here's the DHS/NIPC Advisory
Remote Sendmail Header Processing Vulnerability
SUMMARY:
The Department of Homeland Security (DHS), National Infrastructure
Protection Center (NIPC) is issuing this advisory to heighten
awareness of the recently discovered Remote Sendmail Header Processing
Vulnerability (CAN-2002-1337). NIPC has been working closely with
the industry on vulnerability awareness and information dissemination.
The Remote Sendmail Header Processing Vulnerability allows local and
remote users to gain almost complete control of a vulnerable Sendmail
server. Attackers gain the ability to execute privileged commands using
super-user (root) access/control. This vulnerability can be exploited
through a simple e-mail message containing malicious code. Sendmail is
the most commonly used Mail Transfer Agent and processes an estimated
50 to 75 percent of all Internet e-mail traffic. System administrators
should be aware that many Sendmail servers are not typically shielded
by perimeter defense applications. A successful attacker could install
malicious code, run destructive programs and modify or delete files.
Additionally, attackers may gain access to other systems
thru a compromised Sendmail server, depending on local
configurations. Sendmail versions 5.2 up to 8.12.8 are known to be
vulnerable at this time.
DESCRIPTION:
The Remote Sendmail Header Processing Vulnerability is exploited
during the processing and evaluation of e-mail header fields collected
during an SMTP transaction. Examples of these header fields are the
"To", "From" and "CC" lines. The crackaddr() function in the Sendmail
headers.c file allows Sendmail to evaluate whether a supplied address
or list of addresses contained in the header fields is valid. Sendmail
uses a static buffer to store processed data. It detects when the
static buffer becomes full and stops adding characters. However,
Sendmail continues processing data and several security checks are
used to ensure that characters are parsed correctly. The vulnerability
allows a remote attacker to gain access to the Sendmail server by
sending an e-mail containing a specially crafted address field which
triggers a buffer overflow.
RECOMMENDATION:
Due to the seriousness of this vulnerability, the NIPC is strongly
recommending that system administrators who employ Sendmail take this
opportunity to review the security of their Sendmail software and to
either upgrade to Sendmail 8.12.8 or apply the appropriate patch for
older versions as soon as possible.
Patches for the vulnerability are available from Sendmail, from ISS who
discovered the vulnerability and from vendors whose applications
incorporate Sendmail code, including IBM, HP, SUN, Apple and SGI. Other
vendors will release patches in the near future.
The primary distribution site for Sendmail is: http://www.sendmail.org
Patches and information are also available from the following sites:
The ISS Download center http://www.iss.net/download
IBM Corporation http://www.ibm.com/support/us/
Hewlett-Packard , Co. http://www.hp.com
Silicon Graphics Inc. http://www.sgigate.sgi.com
Apple Computer, Inc. http://www.apple.com/
Sun Microsystems, Inc. http://www.sun.com/service/support/
Common Vulnerabilities and Exposure (CVE) Project http://CVE.mitre.org
As always, computer users are advised to keep their anti-virus and
systems software current by checking their vendor's web sites frequently
for new updates and to check for alerts put out by the DHS/NIPC,
CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages
recipients of this advisory to report computer intrusions to their local
FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate
authorities. Recipients may report incidents online to
http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning
Unit can be reached at (202) 323-3204/3205/3206 or [EMAIL PROTECTED]
====
Background on government/industry cooperation to mitigate damage
The Sendmail Vulnerability Announced Today, March 3, 2003
How Well Did The Cyber Defense Community Do?
Today, hundreds of thousands of people learned of a vulnerability in
the sendmail program which is widely used for Internet mail handling.
A vulnerability in such a widely used open source software program
presents difficult challenges for the cyber defense community -
including the need to get more than twenty different software
organizations to act quickly and silently to develop patches.
Three primary actions are required to respond effectively to such
a vulnerability:
1. Verify that the vulnerability exists and is important.
2. Contact the key technical personnel at each of the software
companies and other groups that distribute sendmail (either alone or
with other software) and ensure that they develop and test patches
and make them ready for widespread distribution.
3. Plan and execute an early warning and distribution strategy
that enables critical infrastructure organizations in the US and in
partner countries to be prepared for rapid deployment of the patches
once they are ready. This must be accomplished without leaking data
about the vulnerability to the black hat community that exploits such
vulnerabilities by creating worms like Code Red, Slapper, and Slammer.
When possible, several other actions may be appropriate:
4. Provide military and other very sensitive organizations with early
access to the patches so their systems can be protected even before
public disclosure of the vulnerability.
5. Use sensor networks with smart filters to test for exploitation.
6. Develop and distribute filters that can block the offending packets
to protect systems that cannot or will not install patches immediately.
On Saturday, March 1, 2003, the US Department of Homeland Security
became fully operational, although the elements of the new department
had been working together for several weeks. In cybersecurity, the new
Department brings together four highly visible cybersecurity agencies:
(1) The National Infrastructure Protection Center from the FBI, (2)
FedCIRC from the General Services Administration, (3) the National
Communications System program from the US Department of Defense, and
(4) the Critical Infrastructure Assurance Office from the Department
of Commerce.
Today's disclosure of a vulnerability in sendmail offers the
opportunity to see how quickly and effectively the cyber defense
community, led by this new Department, can respond to important
threats.
Sendmail's vulnerability offers a legitimate test because sendmail
handles a large amount of Internet mail traffic and is installed on
at least 1.5 million Internet-connected systems. More than half of
the large ISPs and Fortune 500 companies use sendmail, as do tens of
thousands of other organizations. A security hole in sendmail affects
a lot of people and demands their immediate attention.
You can draw your own conclusion on how well the problem is being
handled. Here are the facts:
1. On Friday, February 14, telephone calls to the Department of
Homeland Security (DHS) and the White House Office of Cyberspace
Security alerted the US government to a suspected sendmail
vulnerability. The source of the data was Internet Security
Systems (ISS), a well-respected security firm with solid security
research credentials, giving the data an initial base level of
credibility. However, to be more certain, DHS technical experts
reviewed the details of the vulnerability and especially the
tests that ISS had run to prove the existence and severity of the
vulnerability. They were convinced.
2. Almost immediately the DHS/White House team, working with ISS,
contacted vendors that distribute sendmail, including Sun, IBM,
HP, and SGI, as well as the Sendmail Consortium, the organization
that develops the open source version of sendmail that is the core
of sendmail distributed with both free and commercial operating
systems. Partially because of government involvement, but primarily
because the vulnerability involved the widely used sendmail package,
the vendors immediately started working together on patches.
3. The DHS/White House staff contacted and shared what they knew with
the US Department of Defense and the Federal CIO Council. Through the
Federal CIO Council, the US FedCIRC and US Office of Management and
Budget were added to the coordinating team. Together the government
planners, ISS, and the vendors developing patches worked out a plan
for public dissemination of the vulnerability information and patch
distribution.
4. To help ensure that the open source LINUX and BSD distributions
(Red Hat, SUSE, OpenBSD, etc.) developed patches, the Computer
Emergency Response Team at Carnegie Mellon University (CERT/CC) was
brought into the project. CERT/CC deployed its formalized process to
inform the LINUX and BSD distribution developers and to assist them
in getting the corrected source code and any additional knowledge
needed to create the patch. CERT/CC (which is funded, in part, by two
organizations being merged into DHS and by the DoD) also created an
advisory to educate system administrators and the security community
in general on the vulnerability, on which systems are affected,
and on where to get the patches for each affected system.
5. Some of the large commercial vendors developed the patches very
quickly, but the delayed notice to smaller sources of sendmail
distributions and limited resources at those organizations meant
that not all the patches would be ready by early in the week of
February 23. The coordinating group faced a decision of whether to
release data about the exploit before most patches were ready or to
wait. The answer depended on whether they had reason to believe an
exploit was already being used by attackers. They had two sources
of information that led them to conclude waiting an extra week was
acceptable. First, people who monitored the hacker discussion groups
reported that this vulnerability did not seem to be one that was being
discussed. Second, the organization that discovered the vulnerability,
ISS, had deployed sensors for the exploit in a number of places
around the world. Those sensors were showing no exploits. Based on
both sets of data, the coordination group decided to schedule the
announcement for Monday, March 3. A second-order reason to schedule
a Monday announcement was that some members of the team believed
that Monday-Tuesday announcements generate more rapid and complete
patching than announcements made late in the week.
6. Since some of the patches were ready, the coordination group
decided to provide what was available to the US DoD so that military
sites could have the protection as early as possible. The military
distributions took place on or around February 25 and 26.
7. On February 27 and 28, government groups in the US and in several
other countries were given early warnings, without details about how
the vulnerability could be exploited, to help them plan for rapid
deployment of the patches when they were released on March 3. In
addition to the Chief Information Officers of US Cabinet level
departments, and the directors or deputy directors of national
cyber security offices in several other countries, the officers of
the critical infrastructure Information Sharing And Analysis Centers
(ISACs) were also briefed so they could be ready for rapid information
distribution to commercial organizations such as banks and utilities,
that comprise the critical infrastructure.
8. On March 3, beginning about 10 am EST, alerts began flowing to
federal agencies from FedCIRC and to the critical infrastructure
companies from the ISACs. At noon, ISS released their advisory,
followed by CERT/CC's general release. Once the data was public,
the SANS Institute also issued a release and scheduled free web-based
education programs.
====
DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability
The Department of Homeland Security (DHS), National Infrastructure
Protection Center (NIPC) has been informed of a recently discovered
serious vulnerability in Snort, a widely used Intrusion Detection
System, IDS. DHS/NIPC has been working closely with the Internet
security industry on vulnerability awareness and is issuing this
advisory in conjunction with public announcements.
Snort is available in open source and commercial versions form
Sourcefire, a privately held company headquartered in Columbia, MD.
Details are available from Sourcefire. See Snort Vulnerability
Advisory [SNORT-2003-001]. The affected Snort versions include all
version of Snort from version 1.8 through current. Snort 1.9.1 has
been released to resolve this issue.
The vulnerability was discovered by Internet Security Systems (ISS),
and is a buffer overflow in the Snort Remote Procedure Call, RPC,
normalization routines. This buffer overflow can cause snort to
execute arbitrary code embedded within sniffed network packets.
Depending upon the particular implementation of Snort this may give
local and remote users almost complete control of a vulnerable machine.
The vulnerability is enabled by default. Mitigation instructions
for immediate protections prior to installing patches or upgrading
are described in the Snort Vulnerability Advisory.
Due to the seriousness of this vulnerability, the DHS/NIPC strongly
recommends that system administrators or security managers who employ
Snort take this opportunity to review their security procedures and
patch or upgrade software with known vulnerabilities.
Sourcefire has acquired additional bandwidth and hosting to aid users
wishing to upgrade their Snort implementation. Future information
can be found at:
http://www.sourcefire.com/
As always, computer users are advised to keep their anti-virus
and systems software current by checking their vendor's web sites
frequently for new updates and to check for alerts put out by the
DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC
encourages recipients of this advisory to report computer intrusions to
their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other
appropriate authorities. Recipients may report incidents online to
http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning
Unit can be reached at (202) 323-3204/3205/3206 or [EMAIL PROTECTED]
== end ==
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+Y7oL+LUG5KFpTkYRAh6ZAJ9oWXqnCwZyP4Wxla1HUbMOcjdlSwCfboS8
wnLCqqyaA0+Dpcn9gUI7yxo=
=cIQn
-----END PGP SIGNATURE-----
--- End Message ---
