Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2006 > Sun Alert Notification: ID: 102262 - Security Vulnerability in sendmail(1M) Versions Prior to 8.13.6

March 2006

Sun Alert Notification: ID: 102262 - Security Vulnerability in sendmail(1M) Versions Prior to 8.13.6

ID: 00241
Ref: 240/2006
Date: 27 March 2006:13:59:41
Version: 1
Title: Sun Alert Notification: ID: 102262 - Security Vulnerability in sendmail(1M) Versions Prior to 8.13.6
Abstract: A local or remote unprivileged user may be able to execute arbitrary code with elevated privileges or cause a Denial of Service (Dos) condition due to a security vulnerability in the sendmail(1M) daemon involving signal handling.
Vendors affected: Sun
Operating systems affected: Sun
Applications affected: Sun
Title
=====


-----BEGIN PGP SIGNED MESSAGE-----

Sun Alert Notification: ID: 102262 - Security Vulnerability in sendmail(1M)
Versions Prior to 8.13.6

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQCVAwUBRCfaDopao72zK539AQHhbgP8DGcKuHLg+PjY/hxy00+fZQjh19s4Meg8
MDEHeWTbO5hw+gI/Z3UPRnDSvEf+SyZrVrDn0KYll7Yf+MAU/t3d6YlmoKT71Db+
qwmXCS7mvJzVlGJm8QMpyrLfBzEWUyPpGfRjnC/NFQtVXiIGNY7t03pgbCYsdD9E
w++kznmK/eQ=
=3Twy
-----END PGP SIGNATURE-----

Detail
======

A local or remote unprivileged user may be able to execute arbitrary
code with elevated privileges or cause a Denial of Service (Dos)
condition due to a security vulnerability in the sendmail(1M) daemon
involving signal handling.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================

ESB-2006.0233 -- [Solaris]
Security Vulnerability in sendmail(1M) Versions Prior to 8.13.6
27 March 2006

===========================================================================


Product: sendmail
Publisher: Sun Microsystems
Operating System: Solaris 10
Solaris 9
Solaris 8
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2006-0058

Ref: AL-2006.0020

Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102262-1

- --------------------------BEGIN INCLUDED TEXT--------------------

Sun(sm) Alert Notification
* Sun Alert ID: 102262
* Synopsis: Security Vulnerability in sendmail(1M) Versions Prior to
8.13.6
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System,
Solaris 8 Operating System
* BugIDs: 6397275
* Avoidance: Workaround
* State: Workaround
* Date Released: 22-Mar-2006
* Date Closed:
* Date Modified: 24-Mar-2006

1. Impact

A local or remote unprivileged user may be able to execute arbitrary
code with elevated privileges or cause a Denial of Service (Dos)
condition due to a security vulnerability in the sendmail(1M) daemon
involving signal handling.

This issue is referenced in the following documents:

CVE-2006-0058 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058

CERT VU#834865 at http://www.kb.cert.org/vuls/id/834865

CERT VU#834865 http://www.kb.cert.org/vuls/id/834865 which is
referenced in CERT Technical Cyber Security Alert TA06-081A:
http://www.us-cert.gov/cas/techalerts/TA06-081A.html

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
* Solaris 8
* Solaris 9
* Solaris 10

x86 Platform
* Solaris 8
* Solaris 9
* Solaris 10

Notes:
1. The current Solaris 8 sendmail patches update sendmail to version
8.11.7p1+Sun which is affected by this vulnerability. The Solaris
8 patches which will address this vulnerability will update
sendmail to version 8.11.7p2+Sun. Solaris 8 patches to update
sendmail to version 8.13.6+Sun will follow. The Solaris 9 and 10
patches which address this issue will update sendmail to version
8.13.6+Sun.
2. This issue only affects systems which have sendmail enabled.
Sendmail versions prior to 8.13.6 are impacted by this issue.

To determine the version of sendmail(1M) running on a system, the
mconnect(1) command can be used, as in the following example:
$ /usr/bin/mconnect
connecting to host localhost (127.0.0.1), port 25
connection open
220 an.example.com ESMTP Sendmail 8.13.5+Sun/8.13.5;
Mon, 20 Mar 2006 17:07:57 GMT
quit
221 2.0.0 an.example.com closing connection

If sendmail is not running on the system the mconnect(1) command will
report the following:
$ /usr/bin/mconnect
connecting to host localhost (127.0.0.1), port 25
connect: Connection refused

3. Symptoms

There are no reliable symptoms that would indicate this issue has been
exploited to execute arbitrary commands with elevated privileges on a
system. The symptoms of the Denial of Service would be the sendmail
daemon no longer running.

4. Relief/Workaround

Until patches can be applied, sites may wish to block access to the
affected service from untrusted networks such as the Internet, or
disable the sendmail daemon where possible. Use a firewall or other
packet-filtering technology to block the appropriate network ports.
Consult your vendor or your firewall documentation for detailed
instructions on how to configure the ports.

The sendmail daemon can be disabled using the following commands:

For Solaris 9:
# /etc/init.d/sendmail stop

This will disable sendmail on the running system but it will be
restarted on reboot. To disable sendmail for future reboots, the
'/etc/rc2.d/S88sendmail' script will need to be renamed so that it no
longer begins with an 'S', as in the following example:
# mv /etc/rc2.d/S88sendmail /etc/rc2.d/not-S88sendmail

For Solaris 10:

# svcadm disable svc:/network/smtp:sendmail

This will disable the sendmail daemon for future reboots as well. To
re-enable sendmail, the 'enable' subcommand can be supplied to
svcadm(1M) with the same FMRI for sendmail above.

5. Resolution

A final resolution is pending completion.

Change History

24-Mar-2006:
* Updated Contributing Factors

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.

Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved

- --------------------------END INCLUDED TEXT--------------------


iQCVAwUBRCcv+Ch9+71yA2DNAQJ0uQP7B0kLz3yRGXvG6kfIllMD/y2Z2Jne5Laf
W+B0+R+ag+t8s/zI6bnkpJLUVGLCk+32s4+eLlNG8UN9QiSlfd+YSXnlsvESUL1s
zWYR6x/kyp0X0hI0Qa//NS5EavrSF7I/1gPdjr7MPdZ2K5sTzz9VXj+s/JA8zybe
iZ0uQfH/FJc=
=OQda
-----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |