Archives ||About Us || Advertise || Feedback || Subscribe-
-
Issue of December 2003 
-

  -  
 
 Home > Security Watch
 Print Friendly Page ||  Email this story

Security watch

Buffer Overflow in Sendmail

Sendmail contains a vulnerability in its address parsing code. An error in the prescan() function could allow an attacker to write past the end of a buffer, corrupting memory structures. Depending on platform and operating system architecture, the attacker may be able to execute arbitrary code with a specially crafted email message.

Depending on platform and operating system architecture, a remote attacker could execute arbitrary code with the privileges of the sendmail daemon. Unless the RunAsUser option is set, Sendmail typically runs as root.

Further information is available in CERT's VU#784980. Common Vulnerabilities and Exposures (CVE) refers to this issue as CAN-2003-0694.

Solution

Upgrade or apply a patch

This vulnerability is resolved in Sendmail 8.12.10. Sendmail has also released a patch that can be applied to Sendmail 8.9.x through 8.12.9. Information about specific vendors is available in Appendix A. and in the Systems Affected section of VU#784980.

Sendmail 8.12.10 is designed to correct malformed messages that are transferred by the server. This should help protect other vulnerable sendmail servers.

Enable the RunAsUser option

While there is no known complete workaround, consider setting the RunAsUser option to reduce the impact of this vulnerability. It is typically considered to be a good security practice to limit the privileges of applications and services whenever possible.

The Sendmail Consortium recommends that sites upgrade to 8.12.10 whenever possible. Alternatively, patches are available for 8.9, 8.10, 8.11, and 8.12 on http://www.sendmail.org/.

All commercial releases including Sendmail Switch, Sendmail Advanced Message Server (which includes the Sendmail Switch MTA), and Sendmail for NT are affected by this issue. Patch information is available at http://www.sendmail.com/security/.

Microsoft Exchange Server fails to properly handle specially crafted SMTP extended verb requests

As reported by CERT (www.cert.org), Microsoft Exchange fails to handle certain SMTP extended verbs correctly. In Exchange 5.5, this can lead to a denial-of-service condition. In Exchange 2000, this could permit an attacker to run arbitrary code.

For more information, see Microsoft Security Bulletin MS03-046.

Impact

An attacker could cause a denial of service condition against Exchange 5.5 or execute arbitrary code against Exchange 2000.

Solution

Apply a patch as described in Microsoft Security Bulletin MS03-046.

Multiple Vulnerabilities in SSL/TLS Implementations

There are multiple vulnerabilities in different implementations of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

These vulnerabilities occur primarily in Abstract Syntax Notation One (ASN.1) parsing code. The most serious vulnerabilities may allow a remote attacker to execute arbitrary code. The common impact is denial of service.

The main vulnerabilities according to CERT are:

VU#935264 - OpenSSL ASN.1 parser insecure memory deallocation
VU#255484 - OpenSSL contains integer overflow handling ASN.1 tags (1)
VU#380864 - OpenSSL contains integer overflow handling ASN.1 tags (2)
VU#686224 - OpenSSL does not securely handle invalid public key when configured to ignore errors
VU#732952 - OpenSSL accepts unsolicited client certificate messages
VU#104280 - Multiple vulnerabilities in SSL/TLS implementations

The impacts of these vulnerabilities vary. In almost all, a remote attacker could cause a denial of service. For at least one vulnerability in OpenSSL (VU#935264), a remote attacker may be able to execute arbitrary code.

Systems Affected

OpenSSL versions prior to 0.9.7c and 0.9.6k

Multiple SSL/TLS implementations

SSLeay library

Solution

Upgrade or apply a patch

To resolve the OpenSSL vulnerabilities, upgrade to OpenSSL

0.9.7c or OpenSSL 0.9.6k. Alternatively, upgrade or apply a patch as directed by your

vendor. Recompile any applications that are statically linked to OpenSSL libraries.

Buffer Overflow in Windows Workstation Service

Microsoft's Security Bulletin MS03-049 discusses a buffer overflow in Microsoft's Workstation Service that can be exploited via a specially crafted network message.

A remote attacker could exploit this vulnerability to execute arbitrary code with system-level privileges or to cause a denial of service. The exploit vector and impact for this vulnerability are conducive to automated attacks such as worms.

Systems Affected

Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4/ Microsoft Windows XP/ Microsoft Windows XP Service Pack 1/ Microsoft Windows XP 64-Bit Edition.

Solution

Apply the appropriate patch as specified in Microsoft Security Bulletin MS03-049.

Block access from outside your network perimeter, specifically by blocking access to TCP & UDP ports 138, 139, and 445. This will limit your exposure to attacks.

Disable the Workstation Service as described in MS03-049.

Bug watch
Backdoor.Dister is a Trojan horse that periodically contacts a server for instructions and configuration data, and then sends batches of email as the server instructs. This functionality could be used to anonymously distribute malware or spam from an infected computer.

Systems Affected

Windows 2000
Windows 95
Windows 98
Windows Me
Windows NT
Windows XP

DOS, Linux, Macintosh, OS/2, UNIX and Windows 3.x systems are not affected by Backdoor.Dister.

Solution

Disable System Restore in Windows Me/XP. After this, update the virus definitions of the affected system's antivirus. The computer has to be restarted in safe mode or VGA mode after this has been performed. Run a full system scan and delete all the files detected as Backdoor.Dister. Ensure that all the changes made to the registry have been reversed after the full system scan.

Top 10 threats for Asia Pacific in November 2003
1. HTML.Redlof.A
2. W32.Welchia.Worm
3. W32.Bugbear.B@mm
4. W32.Swen.A@mm
5. IRC Trojan
6. Backdoor.Trojan
7. Downloader.Trojan
8. W32.Nolor@mm
9. W32.Blaster.Worm
10. W95.Hybris.worm

Source: Symantec

 
     
- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.