SANS Alert - Critical Vulnerability in Sendmail and a Snort Vulnerability

[Christian Vanguers]

It's a little bit off-topic, but i'm sure some of you are running
Sendmail and/or Snort...

This post is just FYI

Chris


Le lun 03/03/2003 à 22:25, The SANS Institute a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> SANS Alert 2003-03-03
> Critical vulnerability in all versions of SENDMAIL
> Plus a Snort Vulnerability
> 
> And an invitation to a web broadcast on the vulnerabilities
> 
> The Sendmail Vulnerability
> What systems are affected? UNIX and Linux Systems running sendmail -
> probably even those that are not mail servers.
> Level: CRITICAL - affords root or superuser access when sendmail is
> running with those privileges.
> 
> A new critical vulnerability has been discovered in Sendmail. The UNIX
> and Linux vendors have been working feverishly to get a patch ready and
> most are available now.  Sendmail is too big a target for attackers to
> ignore, so it makes sense to act immediately to protect your systems.
> 
> In this note you will find:
> (1) The invitation to the webcast covering both vulnerabilities
> (2) DHS/NIPC Advisory 03-004 Remote Sendmail Header Processing
>     Vulnerability
> (3) A description of what government and industry did to try to
>     mitigate damage from this newly discovered vulnerability.
> (4) The Department of Homeland Security Alert on the Snort
>     Vulnerability
> 
> ********************************************************
> SANS Web Broadcast (free) on the Sendmail Vulnerability and the
> Snort Vulnerability
> 
> Date: March 3, 2003 (today)
> Time: 7 PM EST (0000 UTC)
> Register at: http://www.sans.org/webcasts/030303.php 
> There is an absolute limit of 2,000 people on the live program to
> ensure quality audio, but the archive will be available about 5 hours
> later for anyone who does not get a reservation.
> 
> Featuring the ISS X-Force folks (ISS discovered the vulnerability),
> Hal Pomeranz (sendmail expert) and Marty Roesch, author of Snort,
> will brief you on the Snort vulnerability.
> 
> Below you'll find the Department of Homeland Security advisory followed
> by a brief description of what happened behind the scenes inside the
> government followed by the DHS Snort vulnerability alert.
> 
> ***********************************************************************
> Here's the DHS/NIPC Advisory
> 
> Remote Sendmail Header Processing Vulnerability
> 
> SUMMARY:
> 
> The Department of Homeland Security (DHS), National Infrastructure
> Protection Center (NIPC) is issuing this advisory to heighten
> awareness of the recently discovered Remote Sendmail Header Processing
> Vulnerability (CAN-2002-1337). NIPC has been working closely with
> the industry on vulnerability awareness and information dissemination.
> 
> The Remote Sendmail Header Processing Vulnerability allows local and
> remote users to gain almost complete control of a vulnerable Sendmail
> server. Attackers gain the ability to execute privileged commands using
> super-user (root) access/control. This vulnerability can be exploited
> through a simple e-mail message containing malicious code. Sendmail is
> the most commonly used Mail Transfer Agent and processes an estimated
> 50 to 75 percent of all Internet e-mail traffic. System administrators
> should be aware that many Sendmail servers are not typically shielded
> by perimeter defense applications. A successful attacker could install
> malicious code, run destructive programs and modify or delete files.
> 
> Additionally, attackers may gain access to other systems
> thru a compromised Sendmail server, depending on local
> configurations. Sendmail versions 5.2 up to 8.12.8 are known to be
> vulnerable at this time.
> 
> DESCRIPTION:
> 
> The Remote Sendmail Header Processing Vulnerability is exploited
> during the processing and evaluation of e-mail header fields collected
> during an SMTP transaction. Examples of these header fields are the
> "To", "From" and "CC" lines. The crackaddr() function in the Sendmail
> headers.c file allows Sendmail to evaluate whether a supplied address
> or list of addresses contained in the header fields is valid. Sendmail
> uses a static buffer to store processed data. It detects when the
> static buffer becomes full and stops adding characters. However,
> Sendmail continues processing data and several security checks are
> used to ensure that characters are parsed correctly. The vulnerability
> allows a remote attacker to gain access to the Sendmail server by
> sending an e-mail containing a specially crafted address field which
> triggers a buffer overflow.
> 
> RECOMMENDATION:
> Due to the seriousness of this vulnerability, the NIPC is strongly 
> recommending that system administrators who employ Sendmail take this 
> opportunity to review the security of their Sendmail software and to 
> either upgrade to Sendmail 8.12.8 or apply the appropriate patch for 
> older versions as soon as possible.
> Patches for the vulnerability are available from Sendmail, from ISS who 
> discovered the vulnerability and from vendors whose applications 
> incorporate Sendmail code, including IBM, HP, SUN, Apple and SGI. Other 
> vendors will release patches in the near future.
> The primary distribution site for Sendmail is: http://www.sendmail.org
> Patches and information are also available from the following sites:
> The ISS Download center http://www.iss.net/download
> IBM Corporation http://www.ibm.com/support/us/
> Hewlett-Packard , Co. http://www.hp.com
> Silicon Graphics Inc. http://www.sgigate.sgi.com
> Apple Computer, Inc. http://www.apple.com/
> Sun Microsystems, Inc. http://www.sun.com/service/support/
> Common Vulnerabilities and Exposure (CVE) Project http://CVE.mitre.org
> 
> As always, computer users are advised to keep their anti-virus and 
> systems software current by checking their vendor's web sites frequently 
> for new updates and to check for alerts put out by the DHS/NIPC, 
> CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages 
> recipients of this advisory to report computer intrusions to their local 
> FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate 
> authorities. Recipients may report incidents online to 
> http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning 
> Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch at fbi.gov.
> 
> 
> ====
> 
> Background on government/industry cooperation to mitigate damage
> 
> The Sendmail Vulnerability Announced Today, March 3, 2003
> How Well Did The Cyber Defense Community Do?
> 
> Today, hundreds of thousands of people learned of a vulnerability in
> the sendmail program which is widely used for Internet mail handling.
> A vulnerability in such a widely used open source software program
> presents difficult challenges for the cyber defense community -
> including the need to get more than twenty different software
> organizations to act quickly and silently to develop patches.
> 
> Three primary actions are required to respond effectively to such
> a vulnerability:
> 
> 1. Verify that the vulnerability exists and is important.
> 2. Contact the key technical personnel at each of the software
> companies and other groups that distribute sendmail (either alone or
> with other software) and ensure that they develop and test patches
> and make them ready for widespread distribution.
> 3. Plan and execute an early warning and distribution strategy
> that enables critical infrastructure organizations in the US and in
> partner countries to be prepared for rapid deployment of the patches
> once they are ready.  This must be accomplished without leaking data
> about the vulnerability to the black hat community that exploits such
> vulnerabilities by creating worms like Code Red, Slapper, and Slammer.
> 
> When possible, several other actions may be appropriate: 
> 
> 4. Provide military and other very sensitive organizations with early
> access to the patches so their systems can be protected even before
> public disclosure of the vulnerability.
> 5. Use sensor networks with smart filters to test for exploitation.
> 6. Develop and distribute filters that can block the offending packets
> to protect systems that cannot or will not install patches immediately.
> 
> On Saturday, March 1, 2003, the US Department of Homeland Security
> became fully operational, although the elements of the new department
> had been working together for several weeks.  In cybersecurity, the new
> Department brings together four highly visible cybersecurity agencies:
> (1) The National Infrastructure Protection Center from the FBI, (2)
> FedCIRC from the General Services Administration, (3) the National
> Communications System program from the US Department of Defense, and
> (4) the Critical Infrastructure Assurance Office from the Department
> of Commerce.
> 
> Today's disclosure of a vulnerability in sendmail offers the
> opportunity to see how quickly and effectively the cyber defense
> community, led by this new Department, can respond to important
> threats.
> 
> Sendmail's vulnerability offers a legitimate test because sendmail
> handles a large amount of Internet mail traffic and is installed on
> at least 1.5 million Internet-connected systems. More than half of
> the large ISPs and Fortune 500 companies use sendmail, as do tens of
> thousands of other organizations. A security hole in sendmail affects
> a lot of people and demands their immediate attention.
> 
> You can draw your own conclusion on how well the problem is being
> handled. Here are the facts:
> 
> 1. On Friday, February 14, telephone calls to the Department of
> Homeland Security (DHS) and the White House Office of Cyberspace
> Security alerted the US government to a suspected sendmail
> vulnerability. The source of the data was Internet Security
> Systems (ISS), a well-respected security firm with solid security
> research credentials, giving the data an initial base level of
> credibility. However, to be more certain, DHS technical experts
> reviewed the details of the vulnerability and especially the
> tests that ISS had run to prove the existence and severity of the
> vulnerability. They were convinced.
> 
> 2. Almost immediately the DHS/White House team, working with ISS,
> contacted vendors that distribute sendmail, including Sun, IBM,
> HP, and SGI, as well as the Sendmail Consortium, the organization
> that develops the open source version of sendmail that is the core
> of sendmail distributed with both free and commercial operating
> systems. Partially because of government involvement, but primarily
> because the vulnerability involved the widely used sendmail package,
> the vendors immediately started working together on patches.
> 
> 3. The DHS/White House staff contacted and shared what they knew with
> the US Department of Defense and the Federal CIO Council. Through the
> Federal CIO Council, the US FedCIRC and US Office of Management and
> Budget were added to the coordinating team. Together the government
> planners, ISS, and the vendors developing patches worked out a plan
> for public dissemination of the vulnerability information and patch
> distribution.
> 
> 4. To help ensure that the open source LINUX and BSD distributions
> (Red Hat, SUSE, OpenBSD, etc.) developed patches, the Computer
> Emergency Response Team at Carnegie Mellon University (CERT/CC) was
> brought into the project. CERT/CC deployed its formalized process to
> inform the LINUX and BSD distribution developers and to assist them
> in getting the corrected source code and any additional knowledge
> needed to create the patch. CERT/CC (which is funded, in part, by two
> organizations being merged into DHS and by the DoD) also created an
> advisory to educate system administrators and the security community
> in general on the vulnerability, on which systems are affected,
> and on where to get the patches for each affected system.
> 
> 5. Some of the large commercial vendors developed the patches very
> quickly, but the delayed notice to smaller sources of sendmail
> distributions and limited resources at those organizations meant
> that not all the patches would be ready by early in the week of
> February 23. The coordinating group faced a decision of whether to
> release data about the exploit before most patches were ready or to
> wait. The answer depended on whether they had reason to believe an
> exploit was already being used by attackers. They had two sources
> of information that led them to conclude waiting an extra week was
> acceptable. First, people who monitored the hacker discussion groups
> reported that this vulnerability did not seem to be one that was being
> discussed. Second, the organization that discovered the vulnerability,
> ISS, had deployed sensors for the exploit in a number of places
> around the world. Those sensors were showing no exploits. Based on
> both sets of data, the coordination group decided to schedule the
> announcement for Monday, March 3. A second-order reason to schedule
> a Monday announcement was that some members of the team believed
> that Monday-Tuesday announcements generate more rapid and complete
> patching than announcements made late in the week.
> 
> 6. Since some of the patches were ready, the coordination group
> decided to provide what was available to the US DoD so that military
> sites could have the protection as early as possible. The military
> distributions took place on or around February 25 and 26.
> 
> 7. On February 27 and 28, government groups in the US and in several
> other countries were given early warnings, without details about how
> the vulnerability could be exploited, to help them plan for rapid
> deployment of the patches when they were released on March 3. In
> addition to the Chief Information Officers of US Cabinet level
> departments, and the directors or deputy directors of national
> cyber security offices in several other countries, the officers of
> the critical infrastructure Information Sharing And Analysis Centers
> (ISACs) were also briefed so they could be ready for rapid information
> distribution to commercial organizations such as banks and utilities,
> that comprise the critical infrastructure.
> 
> 8. On March 3, beginning about 10 am EST, alerts began flowing to
> federal agencies from FedCIRC and to the critical infrastructure
> companies from the ISACs. At noon, ISS released their advisory,
> followed by CERT/CC's general release. Once the data was public,
> the SANS Institute also issued a release and scheduled free web-based
> education programs.
> 
> ====
> 
> DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability 
> 
> The Department of Homeland Security (DHS), National Infrastructure
> Protection Center (NIPC) has been informed of a recently discovered
> serious vulnerability in Snort, a widely used Intrusion Detection
> System, IDS.  DHS/NIPC has been working closely with the Internet
> security industry on vulnerability awareness and is issuing this
> advisory in conjunction with public announcements.
> 
> Snort is available in open source and commercial versions form
> Sourcefire, a privately held company headquartered in Columbia, MD.
> Details are available from Sourcefire.  See Snort Vulnerability
> Advisory [SNORT-2003-001].  The affected Snort versions include all
> version of Snort from version 1.8 through current.  Snort 1.9.1 has
> been released to resolve this issue.
> 
> The vulnerability was discovered by Internet Security Systems (ISS),
> and is a buffer overflow in the Snort Remote Procedure Call, RPC,
> normalization routines.  This buffer overflow can cause snort to
> execute arbitrary code embedded within sniffed network packets.
> Depending upon the particular implementation of Snort this may give
> local and remote users almost complete control of a vulnerable machine.
> The vulnerability is enabled by default.  Mitigation instructions
> for immediate protections prior to installing patches or upgrading
> are described in the Snort Vulnerability Advisory.
> 
> Due to the seriousness of this vulnerability, the DHS/NIPC strongly
> recommends that system administrators or security managers who employ
> Snort take this opportunity to review their security procedures and
> patch or upgrade software with known vulnerabilities.
> 
> Sourcefire has acquired additional bandwidth and hosting to aid users
> wishing to upgrade their Snort implementation. Future information
> can be found at:
> http://www.sourcefire.com/
> 
> As always, computer users are advised to keep their anti-virus
> and systems software current by checking their vendor's web sites
> frequently for new updates and to check for alerts put out by the
> DHS/NIPC, CERT/CC, ISS and other cognizant organizations.  The DHS/NIPC
> encourages recipients of this advisory to report computer intrusions to
> their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other
> appropriate authorities.  Recipients may report incidents online to
> http://www.nipc.gov/incident/cirr.htm.  The DHS/NIPC Watch and Warning
> Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch at fbi.gov.
> 
> 
> == end ==
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQE+Y7oL+LUG5KFpTkYRAh6ZAJ9oWXqnCwZyP4Wxla1HUbMOcjdlSwCfboS8
> wnLCqqyaA0+Dpcn9gUI7yxo=
> =cIQn
> -----END PGP SIGNATURE-----
> 




-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null