NASIRC BULLETIN #94-01 January 7, 1994 Sendmail Vulnerability update **Supplementary Document [sendmail.patches] list vendor solutions** =========================================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================================== NASIRC has received information concerning new security patches available to resolve existing vulnerabilities in sendmail(8). These vulnerabilities include those related to mailing to a program, mailing to a file and a few other minor problems. This bulletin provides information on new patches available from some of the vendors. At the time that NASIRC Bulletin # 93-06 was published a set of workarounds was included. These workarounds can still be used when vendor patches are not available. They can also be safely used even when patches have been installed. A brief listing of all available patches as well as upcoming patches is provided in the file: /bulletins/sendmail.patches on nasirc.nasa.gov in the anonymous ftp directory. This file will be updated as new information is received. We have appended the file to this bulletin for ease of use. The NASIRC online archive system is available via anonymous ftp. Just ftp to nasirc.nasa.gov and login as anonymous. You will be required to enter your valid e-mail address. Once there you can access the following information: /toolkits/mac ! contains MACdefender software /bulletins ! contains NASIRC bulletins Complete patch information and vendor specific installation procedures, as provided by the vendor(s), are included in: /bulletins/vendors ! contains vendor advisories In the future, we will be offering additional security measures and documentation within this online archive. Contact the NASIRC Helpdesk for more information and assistance with toolkits or security measures. NASIRC ACKNOWLEDGES: Sun Microsystems, Inc., Digital Equipment Corporation and CERT for providing input to this bulletin. ================================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-306-1010 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:5460866 ================================================================== This bulletin may be forwarded without restrictions to sites and system administrators within the NASA community ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organization which provides for coordination between incident response teams in handling computer-security-related issues. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. ============================================================================= NASIRC BULLETIN #94-01 January 7, 1994 Sendmail Patch Update/Availability ---------------------------------- 1. Sun Microsystems, Inc. AVAILABLE 2. Data General Corporation (DG) AVAILABLE 3. Digital Equipment Corporation (DEC) AVAILABLE 4. Hewlett Packard Company (HP) AVAILABLE 5. Sequent Computer Systems AVAILABLE 6. The Santa Cruz Operation AVAILABLE SOON 7. IBM AVAILABLE 8. Solbourne AVAILABLE 9. Sony Corporation AVAILABLE 10. BSDI AVAILABLE 11. Eric Allman, 8.6.4 AVAILABLE 12. Paul Pomes, IDA AVAILABLE 13. NeXT, Inc. AVAILABLE SOON 1. Sun Microsystems, Inc.: ---------------------- Sun has made patches for sendmail available, as described in their SUN MICROSYSTEMS SECURITY BULLETIN: #00125, dated 12/23/93, which is included in it's entirety in nasirc.nasa.gov, anonymous ftp: /bulletin/vendor/sun_sendmail.alert System Patch ID Filename BSD SVR4 Checksum Checksum ------ -------- --------------- --------- --------- SunOS 4.1.x 100377-08 100377-08.tar.Z 05320 755 58761 1510 Solaris 2.1 100840-06 100840-06.tar.Z 59489 195 61100 390 Solaris 2.2 101077-06 101077-06.tar.Z 63001 179 28185 358 Solaris 2.3 101371-03 101371-03.tar.Z 27539 189 51272 377 A patch for x86 based systems will be forthcoming as patch ID 101352-02. 4.1 sites installing these patches may require sites to modify their configuration files slightly. Full details are given in the Sun advisory. The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version on Solaris 2.x (/usr/bin/sum). Sun security patches are available from: - US ftp.uu.net /systems/sun/sun-dist - Europe ftp.eu.net ~ftp/sun/fixes Some customers have reported that checksums on patch files obtained via SunSolve (see section II.A) do not always match the checksums shown in our Security Bulletins. This happens because the checksums shown here are for the files uploaded by us to ftp.uu.net, which are sometimes different--though functionally equivalent--to the files created for SunSolve. The checksums shown above should always match the files on ftp.uu.net, unless a correction has been noted in the "checksums" file we maintain there. Sun will resolve this anomaly in the future. For the present, SUN advises customers to check with their Answer Centers or this office if a question of patch authenticity arises. 2. Data General Corporation (DG): ----------------------------- Patches are available from: dg-rtp.rtp.dg.com (128.222.1.2) in the directory: /deliver/sendmail Patch checksums are as follows: System V Revision Patch Number Checksum ----------- ------------ ------------- 5.4.2 tcpip_5.4.2.p14 39298 512 5.4R2.01 tcpip_5.4R2.01.p12 65430 512 5.4R2.10 tcpip_5.4R2.10.p05 42625 512 These patches are loadable via the "sysadm" utility and installation instructions are included in the patch notes. Trusted versions of DG/UX will use the same patches as their base version of DG/UX. Customer with any questions about these patches should contact their local DG SEs or Sales Representative. 3. Digital Equipment Corporation (DEC): ----------------------------------- Systems affected: ULTRIX Versions 4.3 (VAX), ULTRIX V4.3 & V4.3A (RISC), DEC OSF/1 V1.2 & V1.3, using sendmail. The following patches are available from your normal Digital support channel: ULTRIX V4.3 (VAX), V4.3 (RISC) or V4.3a (RISC): CSCPAT #: CSCPAT_4044 OSF/1 V1.2 and V1.3: CSCPAT #: CSCPAT_4045 *These fixes will be included in future releases of ULTRIX and DEC OSF/1 Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of ULTRIX V4.3 or DEC OSF/1 V1.2, then apply the Security kit to prevent this potential vulnerability. The full text of Digital's sendmail advisory can be found in NASIRC's anonymous ftp directory under: /bulletins/vendors/dec_sendmail.alert 4. Hewlett Packard Company (HP): ---------------------------- For HP/UX, the following patches are available: PHNE_3369 (series 300/400, HP-UX-8.x), or PHNE_3370 (series 300/400, HP-UX-9.x), or PHNE_3371 (series 700/800, HP-UX-8.x), or PHNE_3372 (series 700/800, HP-UX-9.x), or modify the sendmail configuration file (release of HP-UX prior to 8.0 You can obtain the patches from Hewlett Packard via email, by doing the following: a. Auto-Patch Email If you know the name of the patch needed, Email to hprc_patch@hprc.atl.hp.com with the subject of the message stated as "patch phkl_9999 rchandle" where phkl_9999 is the patch name, rchandle is your Response Center system identifier or company name if you are not currently under Response Center support. It will automatically be emailed back to you. b. HP SupportLine Effective early 1993, all new patches are loaded on HPSL. If you don't have HPSL access or need to know how to sign on, in the U.S. you can call the following numbers: Response Center Customers: 1-800-633-3600 BasicLine Customers: 1-415-691-3888 Outside the U.S., contact your local Response Center. Note that a list of patches can be obtained at any time by emailing to hprc_patch@hprc.atl.hp.com with the subject of the message stated as "p-list rchandle", where rchandle is your Response Center system identifier or your company name if you are not currently under Response Center support. The list will automatically be emailed back to you. The list includes a short description of the patch. A more detailed patch description is included in the patch itself. 5. Sequent Computer Systems: ------------------------ The following versions of Sequent operating system are vulnerable: Versions 3.0.17 and greater of Dynix Versions 2.2 and 2.3 of the TCP package of PTX Sequent customers should call the Sequent Hotline at (800)854-9969 and ask for the Sendmail Maintenance Release Tape or ptx customers can upgrade to PTX/TCP/IP version 2.2.3 and 2.3.1 as appropriate. 6. Santa Cruz Operation: -------------------- Support level Supplement (SLS) net379A will soon be available for the following platforms: SCO TCP/IP Release 1.2.0 for SCO UNIX or SCO XENIX SCO TCP/IP Release 1.2.1 for SCO UNIX SCO Open Desktop Release 2.0, 3.0 SCO Open Desktop Lite Release 3.0 SCO Open Server Network System, Release 3.0 SCO Open Server Enterprise System, Release 3.0 This SLS is currently orderable from SCO Support for all customers who have one of the above products registered. It will be available in the near future. Systems using MMDF as their mail system do not need this SLS. 7. IBM: ---- Patches for the sendmail problems can be ordered as APAR# ix40304 and APAR# ix413454. APAR# ix40304 is available now and APAR# ix41354 will be sent as soon as it is available. 8. Solbourne: --------- Patch p93122301 is available from Solbourne to fix the sendmail problems. This patch is equivalent to Sun patch 100377-08. It can be retrieved via anonymous FTP from: solbourne.solbourne.com in the: pub/support/OS4.1B directory: Checksum Information is as follows: Filename BSD SVR4 Checksum Checksum --------------- --------- --------- p93122301.tar.Z 63749 211 53951 421 It can also be obtained by sending email to solis@solbourne.com and specifying "get patches/4.1b p93122301" in the body of the mail message. Earlier versions (4.1A.*) are no longer supported. The 4.1B patch may well work on 4.1A.* systems but this has not been tested. If you have any questions please call the SOURCE at 1-800-447-2861 or send email to support@solbourne.com. The full text of Solbourne's advisory can be found in NASIRC's anonymous ftp directory under: /bulletins/vendors/solbourne_sendmail.alert 9. Sony Corporation: ---------------- These vulnerabilities have been fixed in NEWS-OS 6.0.1. A patch is available for NEWS-OS 4.x. Customers should contact their dealers for any additional information. 10. BSDI: ---- BSDI can supply either an easy-to-install port of sendmail-8.6.4 (contact BSDI Customer Support for information in obtaining the port). In future releases, BSDI will ship the newer sendmail that is not effected by these problems. Releases affected by this advisory: BSD/386 V1.0. BSDI Contact Information: BSDI Customer Support Berkeley Software Design, Inc. 7759 Delmonico Drive Colorado Springs, CO 80919 Toll Free: +1 800 ITS BSD8 (+1 800 486 2738) Phone: +1 719 260 8114 Fax: +1 719 598 4238 Email: support@bsdi.com 11. Eric Allman, 8.6.4: ------------------ Version 8.6.4 is available for anonymous ftp from: ftp.cs.berkeley.edu in the: /ucb/sendmail directory Checksum Information is as follows: BSD Checksum System V Checksum ------------- ------------------ sendmail.8.6.4.base.tar.Z 07718 428 64609 856 12. Paul Pomes, IDA: --------------- A new release is available for anonymous ftp from: vixen.cso.uiuc.edu as: /pub/sendmail-5.67b+IDA.1.5.tar.gz Checksum Information is as follows: BSD Checksum System V Checksum -------------- ----------------- sendmail-5.67b+IDA-1.5.tar.gz 17272 1341 30425 2682 13. NeXT, Inc.: ---------- NeXT expects to have patches for these vulnerabilities available soon.