Major vulnerability threatens global e-mail security

IT security professionals have been working frantically for the past two weeks to fix a major Internet vulnerability that could...

IT security professionals have been working frantically for the past two weeks to fix a major internet vulnerability that could have had disastrous consequences for millions of businesses.

Since 14 February, the US Department of Homeland Security (DHS) and the White House Office of Cyberspace Security have been working with Internet Security Systems (ISS) to fix a major buffer overflow vulnerability in the sendmail mail transfer agent (MTA).

Early versions of a patch were made available to US military units last week after White House officials expressed concern about the vulnerability of military systems ahead of any conflict with Iraq.

However, information about the vulnerability was not released to the business community until yesterday (3 March).

Sendmail handles between half and three-quarters of all internet e-mail traffic. Versions of the software, from 5.79 to 8.12.7, are vulnerable, according to an ISS alert issued publicly yesterday.

ISS discovered the vulnerability on 13 February. It then contacted the homeland security officials, who began the process of alerting IT supplierrs that distribute sendmail, including Sun Microsystems, IBM, Hewlett-Packard and Silicon Graphics, as well as the Sendmail Consortium, the organisation that develops the open-source version of sendmail that is distributed with both free and commercial operating systems.

The seriousness of the vulnerability, coupled with the fact that the hacker community was unaware of it, caused the government and ISS to decide it was better to keep the news under wraps until patches could be developed.

The Sendmail Consortium has urged all users to either upgrade to Sendmail 8.12.8 or apply a patch for 8.12.x (or for older versions).

Updates can be downloaded from or any of its mirrors, or from the Sendmail Consortium's site. The consortium said patch users should remember to check the PGP signatures of any patches or releases obtained. It also suggested that those running the open-source version of sendmail check with their vendors for a patch.

Sendmail, the commercial provider of the sendmail MTA, is providing a binary patch for its commercial customers that can be downloaded from Sendmail's website.

"The Remote Sendmail Header Processing Vulnerability allows local and remote users to gain almost complete control of a vulnerable Sendmail server," according to an alert prepared Monday by the DHS.

"Attackers gain the ability to execute privileged commands using super-user [root] access/control. This vulnerability can be exploited through a simple e-mail message containing malicious code.

"System administrators should be aware that many sendmail servers are not typically shielded by perimeter defence applications" such as firewalls, the DHS alert. warned  "A successful attacker could install malicious code, run destructive programs and modify or delete files."

Additionally, attackers could gain access to other systems through a compromised sendmail server, depending on local configurations.

According to the ISS, the sendmail remote vulnerability occurs when processing and evaluating header fields in e-mail collected during a Simple Mail Transfer Protocol transaction. 

Read more on IT risk management