Security watch

Buffer Overflow in Sendmail

Sendmail contains a vulnerability in its address parsing code. An error in the prescan() function could allow an attacker to write past the end of a buffer, corrupting memory structures. Depending on platform and operating system architecture, the attacker may be able to execute arbitrary code with a specially crafted email message.

Depending on platform and operating system architecture, a remote attacker could execute arbitrary code with the privileges of the sendmail daemon. Unless the RunAsUser option is set, Sendmail typically runs as root.

Further information is available in CERT's VU#784980. Common Vulnerabilities and Exposures (CVE) refers to this issue as CAN-2003-0694.

Solution

Upgrade or apply a patch

This vulnerability is resolved in Sendmail 8.12.10. Sendmail has also released a patch that can be applied to Sendmail 8.9.x through 8.12.9. Information about specific vendors is available in Appendix A. and in the Systems Affected section of VU#784980.

Sendmail 8.12.10 is designed to correct malformed messages that are transferred by the server. This should help protect other vulnerable sendmail servers.

Enable the RunAsUser option

While there is no known complete workaround, consider setting the RunAsUser option to reduce the impact of this vulnerability. It is typically considered to be a good security practice to limit the privileges of applications and services whenever possible.

The Sendmail Consortium recommends that sites upgrade to 8.12.10 whenever possible. Alternatively, patches are available for 8.9, 8.10, 8.11, and 8.12 on http://www.sendmail.org/.

All commercial releases including Sendmail Switch, Sendmail Advanced Message Server (which includes the Sendmail Switch MTA), and Sendmail for NT are affected by this issue. Patch information is available at http://www.sendmail.com/security/.

Microsoft Exchange Server fails to properly handle specially crafted SMTP extended verb requests

As reported by CERT (www.cert.org), Microsoft Exchange fails to handle certain SMTP extended verbs correctly. In Exchange 5.5, this can lead to a denial-of-service condition. In Exchange 2000, this could permit an attacker to run arbitrary code.

For more information, see Microsoft Security Bulletin MS03-046.

Impact

An attacker could cause a denial of service condition against Exchange 5.5 or execute arbitrary code against Exchange 2000.

Solution

Apply a patch as described in Microsoft Security Bulletin MS03-046.

Multiple Vulnerabilities in SSL/TLS Implementations

There are multiple vulnerabilities in different implementations of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

These vulnerabilities occur primarily in Abstract Syntax Notation One (ASN.1) parsing code. The most serious vulnerabilities may allow a remote attacker to execute arbitrary code. The common impact is denial of service.

The main vulnerabilities according to CERT are:

VU#935264 - OpenSSL ASN.1 parser insecure memory deallocation
VU#255484 - OpenSSL contains integer overflow handling ASN.1 tags (1)
VU#380864 - OpenSSL contains integer overflow handling ASN.1 tags (2)
VU#686224 - OpenSSL does not securely handle invalid public key when configured to ignore errors
VU#732952 - OpenSSL accepts unsolicited client certificate messages
VU#104280 - Multiple vulnerabilities in SSL/TLS implementations

The impacts of these vulnerabilities vary. In almost all, a remote attacker could cause a denial of service. For at least one vulnerability in OpenSSL (VU#935264), a remote attacker may be able to execute arbitrary code.

Systems Affected

OpenSSL versions prior to 0.9.7c and 0.9.6k

Multiple SSL/TLS implementations

SSLeay library

Solution

Upgrade or apply a patch

To resolve the OpenSSL vulnerabilities, upgrade to OpenSSL

0.9.7c or OpenSSL 0.9.6k. Alternatively, upgrade or apply a patch as directed by your

vendor. Recompile any applications that are statically linked to OpenSSL libraries.

Buffer Overflow in Windows Workstation Service

Microsoft's Security Bulletin MS03-049 discusses a buffer overflow in Microsoft's Workstation Service that can be exploited via a specially crafted network message.

A remote attacker could exploit this vulnerability to execute arbitrary code with system-level privileges or to cause a denial of service. The exploit vector and impact for this vulnerability are conducive to automated attacks such as worms.

Systems Affected

Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4/ Microsoft Windows XP/ Microsoft Windows XP Service Pack 1/ Microsoft Windows XP 64-Bit Edition.

Solution

Apply the appropriate patch as specified in Microsoft Security Bulletin MS03-049.

Block access from outside your network perimeter, specifically by blocking access to TCP & UDP ports 138, 139, and 445. This will limit your exposure to attacks.

Disable the Workstation Service as described in MS03-049.