*********************************************************************** DDN Security Bulletin 90-02 DCA DDN Defense Communications System 30 Jan 90 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) (800) 235-3155 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DCA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [26.0.0.73 or 10.0.0.51] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-yy-nn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-90-01). ********************************************************************** SUN SENDMAIL VULNERABILITY + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Communications Agency's Security Coordination ! ! Center distribution system as a means of providing DDN ! ! subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + CERT Advisory 29 January 1990 Sun Sendmail Vulnerability The Computer Emergency Response Team Coordination Center (CERT/CC) has learned of, and has verified, break-ins on several Internet systems in which the intruders have exploited a vulnerability in the Sun sendmail program. This vulnerability exists in all versions of SunOS up to and including the current version, 4.0.3 on Sun 3, Sun 4, and Sun 386i systems (note that 4.0.2 is the most current version of SunOS on the 386i machines). That is, all current Sun systems. The vulnerability has previously been reported to Sun and a solution to this problem (Sun bug # 1028173) is available via a new version of sendmail supplied by Sun. The new sendmail is available directly from the Sun Answer Center (1-800-USA-4SUN). Sun 3 and Sun 4 sendmail binaries are also available via anonymous FTP from uunet.uu.net in the /sun-fixes directory. This incident underscores the need for system administrators to maintain an awareness of the steps their vendors are taking to improve the security aspects of their products, and to seriously consider upgrading system configurations when solutions to security problems are made available. Administrators of Sun systems are urged to contact Sun for the new version of the sendmail program. Administrators of machines other than Suns are urged to contact their vendors to verify that they are running the latest version of sendmail, since there may have been security related fixes to it in the past year. If you need further information on this problem, contact your Sun representative or CERT/CC. CERT/CC can be contacted by telephone at (412) 268-7090 (24 hours) or email to cert@cert.sei.cmu.edu (monitored daily). Our thanks to Matt Bishop and Wayne Cripps for their efforts in analyzing and investigating this problem and its solution. Kenneth R. van Wyk Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University cert@CERT.SEI.CMU.EDU (412) 268-7090 (24 hour hotline)