sendmail vuln. - exploit in the wild??

Discussion in 'Computer Security' started by al, Oct 3, 2003.

  1. al

    al Guest

    The recent sendmail patch (CERT Advisory CA-2003-25 Buffer Overflow in
    Sendmail) is obviously quite a dangerous vulnerability, so I'm not trying to
    suggest it's smart not to apply it. However, does anyone know if it is
    being exploited in the wild at all?

    It is out of slight laziness in that a mail server I have is on it's last
    legs and an old kernel which RH has decided not to release RPM's for
    anymore. The whole server is due to be replaced in about a month or two.
    I'm trying to asses the risk of leaving this patch off for that period.


    a
     
    al, Oct 3, 2003
    #1
    1. Advertisements

  2. al

    Randell D. Guest

    I'm not familiar with the CERT advisory since I now rely on my ISP to handle
    my email... But... if your box is due for upgrade soon, well.... a month or
    two can soone become three or four - the five months... and if you can
    recall that Microsoft had their SQL patch out about four to six weeks before
    a worm came out to exploit it.... so... my advice is plug the hole first
    chance you get - especially a sendmail bug - if your server handles mail for
    a company, what would the boss say if he found the domain name blacklisted?

    An alternative method is to bring it to the attention of your boss or
    customer and let them decide the risks - ie let them decide if the machine
    rebuild should happen more sooner than later... thats what management is all
    about - the art of delegation and decision making ;-)
     
    Randell D., Oct 5, 2003
    #2
    1. Advertisements

  3. al

    al Guest

    blacklisted?

    All true, except the box will be replaced before Christmas, as that is the
    absolute deadline for a new system to go live! My initial action was to
    advice immediate patching of the system, which was scheduled. But then the
    guy that did it found out that RedHat no longer support the version we run
    with RPM's. The response apparently was that either significant parts of
    the system would need to be patched, which could cause stability problems
    (it's a little shaky at the moment!) or a new RH9 build would need to
    replace it.
    Yes, but I have to also try and evaluate the risk myself, so I know how far
    I should push it. I have already said I'm not happy with it being there
    unpatched. An exploit would give me far more fuel - Google'ing on it hasn't
    got me far though. Can anyone recommend a site that reveals whether or not
    various vulnerabilities have been exploited or not?



    a
     
    al, Oct 6, 2003
    #3
  4. You don't have to have rpms, you can download sendmail in a tarball, and
    no, significant parts of the system do not have to be replaced.
    The risk is that you are probably already compromised, I've seen
    substantial buffer overflow attempts almost immediately following the
    release. I'm not the only one seeing them, there may be a worm out
    there, but I have not yet confirmed it. If there is, it's probably
    tailored to linux.

    /steve
    --
    No one gives you more control of your e-mail than we do!
    http://www.cotse.net/servicedetails.html
    E-Mail, Anon Proxies, Remailers, Usenet, Web Hosting, More.
    The Internet's Full Service Privacy Website, Your Shield From The
    Internet.
     
    Stephen K. Gielda, Oct 6, 2003
    #4
  5. al

    al Guest

    That would work for RH 6.2? Sorry to be so vague, my involvement in this is
    as an advisory only, the machine is at another site and managed by one of
    our linux guys there ...
    I wouldn't have thought there was a worm out yet, as that would attract
    media attention and I've heard nothing. As for compromise - I still don't
    think it's all that likely until there's a worm out. Definitely possible
    though. This is why I'm trying to ascertain if there anyone's heard
    anything about an exploit - as soon as that happens it's bad news!


    a
     
    al, Oct 6, 2003
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.