Linux Today: Linux News On Internet Time.





More on LinuxToday


internetnews: More Headaches for Sendmail

Mar 31, 2003, 15:00 (17 Talkback[s])
(Other stories by Bob Liu)

WEBINAR: On-demand Event

Replace Oracle with the NoSQL Engagement Database: Why and how leading companies are making the switch REGISTER >

"The Sendmail Consortium, which manages deployment of the world's most popular message transfer agent (MTA) to handle email, was left scrambling over the weekend to fix a remotely exploitable vulnerability that could allow an attacker to gain control of a unpatched sendmail server.

"The vulnerability, discovered by Michal Zalewski, occurs because address parsing code in sendmail does not adequately check the length of email addresses. An email message with a specially crafted address could trigger a stack overflow. As a result, the vulnerability can be exploited to cause a denial-of-service condition and could allow a remote attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root, according to a CERT advisory issued over the weekend.

"'Most organizations have a variety of mail transfer agents (MTAs) at various locations within their network, with at least one exposed to the Internet. Since sendmail is the most popular MTA, most medium-sized to large organizations are likely to have at least one vulnerable sendmail server. In addition, many UNIX and Linux workstations provide a sendmail implementation that is enabled and running by default,' CERT warned in its advisory..."

Complete Story

Related Stories: