From: Pete Hammes (1/7/94) To: assist-bulletin@assist.ims.disa, Mail*Link¨ SMTP ASSIST 94-01, sendmail patc -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIICozCCAgwCAREwDQYJKoZIhvcNAQECBQAwgYYxC zAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c3Rlb XMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c3Rlb XMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczAeFw05MzEyMDkxO DU5MTZaFw05NTEyMDkxODU5MTZaMIGxMQswCQYDVQQGEwJVUzErMCkGA1UEChMiR GVmZW5zZSBJbmZvcm1hdGlvbiBTeXN0ZW1zIEFnZW5jeTEwMC4GA1UECxMnQ2Vud GVyIGZvciBJbmZvcm1hdGlvbiBTeXN0ZW1zIFNlY3VyaXR5MRgwFgYDVQQLEw9Db 3VudGVybWVhc3VyZXMxEzARBgNVBAsTCk9wZXJhdGlvbnMxFDASBgNVBAMTC1Bld GUgSGFtbWVzMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDFFJkcaDOuS+6Ai2vmT bwY6JRbhdzPsl6X60hnXruOw2WvrAhc8BTFB+id75m3M55i+Th6MxWH20QHyQq5u yVghOu/s37OxIrj7irNPjtUdPv8b2m4hNGEW53QH6GmXkxLmgLzOhookpoYPC+uw 2MzibDnleVI50d2m//XsWs7hwIBAzANBgkqhkiG9w0BAQIFAAOBgQDHH6CmBoyWU zPlqVnEWYKIBsifqdTJzkKfnoST7NDRIakUP49FP86Cyy1+2AKpUCWaxjq+wGHCH RCNFCCrOwdC9z8XwJal/c69ml6eLRhOoX77ANndpU9E5+eHxP+6Ute6lc63K7+Lz 5xOULjmgaMmKDkTXveVcQO6R2CTY37vcA== Issuer-Certificate: MIICNTCCAZ4CARswDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMTExMDIxMjIxNloXDTk0MDIxODIxMjIxNlowg YYxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c 3RlbXMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c 3RlbXMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczCBmjAKBgRVC AEBAgIEAAOBiwAwgYcCgYEA19l6BN7iTGYEU61qJETIjBh3iAeHzoL8sZ5KwFRZD S/a1KnYlD1zJHR/KeQCOBWW2HzX43TFLCNGU7UD9i6m8AymLe5IJf/bGh0Rne7Jd Q1GAOLw7/J4hE57IMbGETZpzeU1D9IYxiERRNio/oa422lUlS9JZHLA5jaPNcUrX P8CAQMwDQYJKoZIhvcNAQECBQADgYEAtk4EYPgH0//H896t95E+4m8zWRxwyAULr a5wWThZ1TNjwdDQ3HbYC2IhXUA2N2Vzic5SWBFI6BRmEjWQrrgUNi4a26zZc6jiS 3OebUYo75t1kkzyRaEf0o3DPnkvo0FQziUJaFpu6Z1/+ZoGu4UURwr/jaA+g1oZC 6kDyRnygWc= Issuer-Certificate: MIIB8jCCAVsCAQEwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMDUyODE3MTEyN1oXDTk1MDUyODE3MTEyN1owR DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZ m9ybWF0aW9uIFN5c3RlbXMgUENBMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDbL xaRlS3u54yyRgVDI5dcE9nlasL8fJqOGlyo7xH2FZnr3kUfsFj7OGiYsr6UbvqwK nyfMIRUrXDUa64leGmft3SK27psDUHOynRSCc40d/HrDf810U5tnTamBKUIMqivK 4GoL0tMRA1eX6hALAvLLgK1HbnwZAo6GqQGW8CIJQIBAzANBgkqhkiG9w0BAQIFA AOBgQDBp5aC6oV6IuFi8JCctq57bew604HHNllgjjp7zdXafq6jctRg2g91k/yFW h19bJC/tNrb0WVwuZOs5L/FToPMNIIHzaW/YSROBmyhTDYaKHZGj0P1+iNjMbHt9 dm1QEHGIfKgBwFidItnOa74DfkXdijlPRnr/+E2Ib6PM+hEfQ== MIC-Info: RSA-MD5,RSA,s4rfHkYy412jVz5oUPapUzC93hwP5CdqEgrkTzTXeYK cpxMRiTzaEOOKI+VBlvvMK1aTdCTDllko7LuL7/BiSfpMyrNmCD/vjJdeR9KZwhI PdwE7OOEHrNB7R/0m1fvj1UqYCfjMU1Lyb0lDAHfC3TgtcSAr9HyPusgEq69eGkM = <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 94-01 Release date: 7 January 1994, 2:45 EST Subject: Sendmail vulnerability. SUMMARY: This advisory provides information about new patches available from some vendors to eliminate a group of vulnerabilities in sendmail(8). DESCRIPTION: These vulnerabilities include those related to mailing to a program, mailing to a file, and a few others. ASSIST 93-29 published a set of workarounds that should still be used until vendor patches are available. Once the vendor patches have been installed, sites can either choose to continue to use smrsh or uninstall it. IMPACT: Anyone (remote or local) can gain unauthorized access to affected systems. RECOMMENDED SOLUTION: Obtain and install the appropriate patch on any systems affected by this vulnerability. A brief listing of currently available patches as well as information on upcoming patches is provided below. Detailed vendor-supplied information concerning these patches is included in an appendix listed at the end of this message (appendix ASSIST-A.401). For some vendors, ASSIST-A.401 includes a reference to the full text of the vendor's own advisory concerning sendmail. The information in the appendix of this bulletin will be updated as new information is released, and will be available on the ASSIST BBS, and via anonymous FTP (to .mil systems only) in /pub/patches/sendmail/ASSIST-A.401 on assist.ims.disa.mil. If your vendor is not aware of the sendmail problems, or if they have any questions, please have them contact ASSIST. Vendor Patch Status - ------ ------------ sendmail 8.6.4 available IDA sendmail available BSDI available Data General Corporation available Digital Equipment Corporation available Hewlett-Packard Company available IBM available NeXT, Inc. available soon The Santa Cruz Operation available soon Sequent Computer Systems available Solbourne available Sony Corporation available Sun Microsystems, Inc. available ASSIST wishes to thank the Forum of Incident Response and Security Teams (FIRST), and vendors for the information contained in this bulletin. ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins are available on the ASSIST bbs (see below), and through anonymous ftp (to .mil addresses only) from assist.ims.disa.mil. ASSIST contact information: PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" and ASSIST will return your call within 5 minutes. ELECTRONIC MAIL: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. The following Appendix contains the version of the ASSIST-A.401 file that was current at the time of the release of this advisory. If you are retrieving this advisory after January 7, 1994, please ensure that you also retrieve the most recent version of the ASSIST-A.401 from the ASSIST bbs, or the ASSIST ftp site. ASSIST-A.401 Rev. January 7, 1994 This file is a supplement to the ASSIST bulletin of January 7, 1994, and will be updated as additional information becomes available. The following is vendor-supplied information. Please notice that some entries provide pointers to vendor advisories. For more up-to-date information, contact your vendor. - ------------- Eric Allman, 8.6.4 Version 8.6.4 is available for anonymous FTP from ftp.cs.berkeley.edu in the "ucb/sendmail" directory. Standard Unix Sum sendmail.8.6.4.base.tar.Z: 07718 428 System V Sum 64609 856 sendmail.8.6.4.base.tar.Z MD5 Checksum MD5 (sendmail.8.6.4.base.tar.Z)= 59727f2f99b0e47a74d804f7ff654621 - ------------- Paul Pomes, IDA: A new release is available for anonymous FTP from vixen.cso.uiuc.edu as "pub/sendmail-5.67b+IDA-1.5.tar.gz". Standard Unix Sum sendmail-5.67b+IDA-1.5.tar.gz: 17272 1341 System V Sum 30425 2682 sendmail-5.67b+IDA-1.5.tar.gz MD5 Checksum MD5 (sendmail-5.67b+IDA-1.5.tar.gz) = a9b8e17fd6d3e52739d2195cead94300 - ------------- BSDI BSDI can supply either an easy-to-install port of the smrsh patch from CERT or a port of sendmail-8.6.4 (contact BSDI Customer Support for information in obtaining either of these solutions). In future releases, BSDI will ship the newer sendmail that is not affected by these problems. Releases affected by this advisory: BSD/386 V1.0. BSDI Contact Information: BSDI Customer Support Berkeley Software Design, Inc. 7759 Delmonico Drive Colorado Springs, CO 80919 Toll Free: +1 800 ITS BSD8 (+1 800 486 2738) Phone: +1 719 260 8114 Fax: +1 719 598 4238 Email: support@bsdi.com - ------------- Data General Corporation Patches are available from dg-rtp.rtp.dg.com (128.222.1.2) in the directory "deliver/sendmail": Rev Patch Number Sys V Checksum ------------ ------------------ -------- 5.4.2 tcpip_5.4.2.p14 39298 512 MD5 (tcpip_5.4.2.p14) = c80428e3b791d4e40ebe703ba5bd249c 5.4R2.01 tcpip_5.4R2.01.p12 65430 512 MD5 (tcpip_5.4R2.01.p12) = 9c84cfdb4d79ee22224eeb713a414996 5.4R2.10 tcpip_5.4R2.10.p05 42625 512 MD5 (tcpip_5.4R2.10.p05) = 2d74586ff22e649354cc6a02f390a4be These patches are loadable via the "syadm" utility and installation instructions are included in the patch notes. Trusted versions of DG/UX will use the same patches as their base version of DG/UX. Customers with any questions about these patches should contact their local SEs or Sales Representatives. - ------------- Digital Equipment Corporation Systems affected: ULTRIX Versions 4.3 (VAX), ULTRIX V4.3 & V4.3A (RISC), DEC OSF/1 V1.2 & V1.3, using sendmail. The following patches are available from your normal Digital support channel: ULTRIX V4.3 (VAX), V4.3 (RISC) or V4.3a (RISC): CSCPAT #: CSCPAT_4044 OSF/1 V1.2 and V1.3: CSCPAT #: CSCPAT_4045 *These fixes will be included in future releases of ULTRIX and DEC OSF/1 Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of ULTRIX V4.3 or DEC OSF/1 V1.2, then apply the Security kit to prevent this potential vulnerability. The full text of Digital's advisory can be found in /pub/patches/sendmail/sendmail.dec on assist.ims.disa.mil. - ------------- Hewlett-Packard Company For HP/UX, the following patches are available: PHNE_3369 (series 300/400, HP-UX 8.x), or PHNE_3370 (series 300/400, HP-UX 9.x), or PHNE_3371 (series 700/800, HP-UX 8.x), or PHNE_3372 (series 700/800, HP-UX 9.x), or modify the sendmail configuration file (releases of HP-UX prior to 8.0) These patches may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP SupportLine. To obtain HP security patches, you must first register with the HP SupportLine. The full text of Hewlett-Packard's advisory can be found in /pub/patches/sendmail/sendmail.hp on assist.ims.disa.mil. - ------------- IBM Patches for these problems can be ordered as APAR# ix40304 and APAR# ix41354. Ix40304 is available now and ix41354 will be sent as soon as it is available. - ------------- NeXT, Inc. NeXT expects to have patches available soon. - ------------- The Santa Cruz Operation Support level Supplement (SLS) net379A, will soon be available for the following platforms: SCO TCP/IP Release 1.2.0 for SCO UNIX or SCO XENIX SCO TCP/IP Release 1.2.1 for SCO UNIX SCO Open Desktop Release 2.0, 3.0 SCO Open Desktop Lite Release 3.0 SCO Open Server Network System, Release 3.0 SCO Open Server Enterprise System, Release 3.0 This SLS is currently orderable from SCO Support for all customers who have one of the above products registered. It will be available in the near future. Systems using MMDF as their mail system do not need this SLS. - ------------- Sequent Computer Systems Versions 3.0.17 and greater of Dynix are vulnerable as are versions 2.2 and 2.3 of the TCP package for PTX. Sequent customers should call the Sequent Hotline at (800) 854-9969 and ask for the Sendmail Maintenance Release Tape. Alternatively, ptx customers can upgrade to PTX/TCP/IP version 2.2.3 or 2.3.1 as appropriate. - ------------- Solbourne Patch p93122301 is available from Solboune to fix the sendmail problems. This patch is equivalent to Sun patch 100377-08. Customers may retrieve it via anonymous FTP from solbourne.solbourne.com in the pub/support/OS4.1B directory: Filename BSD SVR4 Checksum Checksum --------------- --------- --------- p93122301.tar.Z 63749 211 53951 421 MD5 (p93122301.tar.Z) = f7300f3ecfbbbfaa11a6695f42f14615 It is also available by sending email to solis@solbourne.com and specifying "get patches/4.1b p93122301" in the body of the mail message. Earlier versions (4.1A.*) are no longer supported. The 4.1B patch may well work on 4.1A.* systems but this has not been tested. If you have any questions please call the SOURCE at 1-800-447-2861 or send email to support@solbourne.com. The full text of Solbourne's advisory can be found in /pub/patches/sendmail/sendmail.sol on assist.ims.disa.mil. - --------------- Sony Corporation These vulnerabilities have been fixed in NEWS-OS 6.0.1. A patch is available for NEWS-OS 4.x. Customers should contact their dealers for any additional information. - --------------- Sun Microsystems, Inc. Sun has made patches for sendmail available as described in their SUN MICROSYSTEMS SECURITY BULLETIN: #00125, 12/23/93. These patches can be found in the /systems/sun/sun-dist directory on ftp.uu.net: System Patch ID Filename BSD SVR4 Checksum Checksum ------ -------- --------------- --------- --------- SunOS 4.1.x 100377-08 100377-08.tar.Z 05320 755 58761 1510 Solaris 2.1 100840-06 100840-06.tar.Z 59489 195 61100 390 Solaris 2.2 101077-06 101077-06.tar.Z 63001 179 28185 358 Solaris 2.3 101371-03 101371-03.tar.Z 27539 189 51272 377 MD5 checksums are: MD5 (100377-08.tar.Z) = 8e8a14c0a46b6c707d283cacd85da4f1 MD5 (100840-06.tar.Z) = 7d8d2c7ec983a58b4c6a608bf1ff53ec MD5 (101077-06.tar.Z) = 78e165dec0b8260ca6a5d5d9bdc366b8 MD5 (101371-03.tar.Z) = 687d0f3287197dee35941b9163812b56 A patch for x86 based systems will be forthcoming as patch 101352-02. 4.1 sites installing these patches may require sites to modify their configuration files slightly. Full details are given in the Sun advisory. The full text of Sun Microsystems's advisory can be found in /pub/patches/sendmail/sendmail.sun on assist.ims.disa.mil. -----END PRIVACY-ENHANCED MESSAGE----- ------------------ RFC822 Header Follows ------------------ Received: by smtpqm.llnl.gov with SMTP;7 Jan 1994 12:00:08 -0800 Return-path: pch@assist.ims.disa.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H7EF8WZZ4W96WAVY@icdc.llnl.gov>; Fri, 7 Jan 1994 11:59:07 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H7EF861X9S96WAU5@icdc.llnl.gov>; Fri, 7 Jan 1994 11:58:38 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA23382; Fri, 7 Jan 94 11:59:31 PST Received: from cheetah.llnl.gov by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA23373; Fri, 7 Jan 94 11:59:23 PST Received: from pierce.llnl.gov (pierce.llnl.gov [128.115.18.253]) by cheetah.llnl.gov (8.6.4/8.6.4) with SMTP id LAA06565 for ; Fri, 7 Jan 1994 11:58:01 -0800 Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA23368; Fri, 7 Jan 94 11:59:08 PST Received: from assist.ims.disa.mil by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA23338; Fri, 7 Jan 94 11:58:40 PST Received: from shilo.ims.disa.mil by assist.ims.disa.mil (4.1/2.4) id AA00330; Fri, 7 Jan 94 14:56:12 EST Received: by shilo.ims.disa.mil (4.1/2.4) id AA16553; Fri, 7 Jan 94 14:55:41 EST Date: 07 Jan 1994 14:55:03 -0500 From: Pete Hammes Subject: ASSIST 94-01, sendmail patches Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: assist-bulletin@assist.ims.disa.MIL Resent-message-id: <01H7EF8X3Q6A96WAVY@icdc.llnl.gov> Message-id: <9401071955.AA16553@shilo.ims.disa.mil> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"assist-bulletin@assist.ims.disa.MIL" Content-transfer-encoding: 7BIT ======================================================================