Sendmail prescan() buffer overflow vulnerability

Overview

Sendmail contains a buffer overflow vulnerability in code that parses email addresses. This vulnerability could allow a remote attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

Description

Sendmail is a widely used mail transfer agent (MTA). There is a buffer overflow vulnerability in code that parses email addresses.

When processing email messages, sendmail creates tokens from address elements (user, host, domain). The code that performs this function (prescan() in parseaddr.c) contains a vulnerability that could allow a remote attacker to overwrite memory structures and execute arbitary code. The attacker could exploit this vulnerability using an email message with a specially crafted address. Such a message could be passed through MTAs that are not vulnerable.

Further information is available in a message by Michal Zalewski.

This is a different vulnerability than the one described in CA-2003-12/VU#897604.

---

Impact

A remote attacker could execute arbitrary code with the privileges of the Sendmail process, typically root. The attacker may also be able to cause a denial of service.

---

Solution

Upgrade or Patch
Upgrade or apply a patch as specified by your vendor. Sendmail has released version 8.12.10 and a patch that resolve this issue.

---

Enable RunAsUser

Consider setting the RunAsUser option to reduce the impact of this vulnerability. It is typically considered to be a good security practice to limit the privileges of applications and services whenever possible.

---

Vendor Information

784980

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer Inc. __ Affected

Notified: September 17, 2003 Updated: September 25, 2003

Status

Affected

Vendor Statement

Mac OS X 10.2.8 contains the patches to address CVE CAN-2003-0694 and CAN-2003-0681 to fix a buffer overflow in address parsing, as well as a potential buffer overflow in ruleset parsing.

Mac OS X 10.2.8 is available as a free update for customers running Mac OS X 10.2.x. It is available from:

Mac OS X Client (updating from 10.2 - 10.2.5):
<http://www.info.apple.com/kbnum/n120244&gt;

Mac OS X Client (updating from 10.2.6 - 10.2.7):
<http://www.info.apple.com/kbnum/n120245&gt;

Mac OS X Server (updating from 10.2 - 10.2.5):
<http://www.info.apple.com/kbnum/n120246&gt;

Mac OS X Server (updating from 10.2.6 - 10.2.7):
<http://www.info.apple.com/kbnum/n120247&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See also: APPLE-SA-2003-09-22.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Conectiva __ Affected

Notified: September 17, 2003 Updated: September 18, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please CLSA-2003:742.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Debian __ Affected

Notified: September 17, 2003 Updated: September 18, 2003

Status

Affected

Vendor Statement

The sendmail and sendmail-wide packages are vulnerable to this issue. Updated packages are being prepared and will be available soon.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see DSA-384.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

FreeBSD __ Affected

Notified: September 17, 2003 Updated: September 25, 2003

Status

Affected

Vendor Statement

FreeBSD was affected, and all details are available at <URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:13.sendmail.asc>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see FreeBSD-SA-03:13.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Gentoo Linux __ Affected

Updated: September 18, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-13
- - - ---------------------------------------------------------------------

PACKAGE : sendmail
SUMMARY : buffer overflows
DATE : 2003-09-17 20:52 UTC
EXPLOIT : remote
VERSIONS AFFECTED : <sendmail-8.2.10
FIXED VERSION : >=sendmail-8.2.10
CVE :

- - - ---------------------------------------------------------------------

quote from release notes:

"Fix a buffer overflow in address parsing. Problem detected by
Michal Zalewski, patch from Todd C. Miller of Courtesan Consulting.

Fix a potential buffer overflow in ruleset parsing. This problem
is not exploitable in the default sendmail configuration;
only if non-standard rulesets recipient (2), final (4), or
mailer-specific envelope recipients rulesets are used then
a problem may occur. Problem noted by Timo Sirainen."

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-mail/sendmail upgrade to sendmail-8.2.10 as follows:

emerge sync
emerge sendmail
emerge clean

- - - ---------------------------------------------------------------------
[email protected] - GnuPG key is available at <http://dev.gentoo.org/~aliz>
- - - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/aMmXfT7nyhUpoZMRAoyYAJwOr62OQN3G+SXYMC5QXPuU2EjYbACcCfVL
rSrMrf+lRPq9Nqh+pa18i8A=
=c+4s
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Hewlett-Packard Company __ Affected

Notified: September 17, 2003 Updated: September 24, 2003

Status

Affected

Vendor Statement

SOURCE: Hewlett-Packard Company Software Security Response Team (SSRT)

Date: 18 September, 2003
CROSS REFERENCE ID: SSRT3631

At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP released operating system software.

HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel.

To report any security issue for any HP software products send email to [email protected]

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see HPSBUX0309-281.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

IBM __ Affected

Notified: September 17, 2003 Updated: September 18, 2003

Status

Affected

Vendor Statement

The AIX Security Team is aware of the issues discussed in CERT Vulnerability Note VU#784980 and CERT Advisory CA-2003-25.

The following APARs will be released to address this issue:

APAR number for AIX 4.3.3: IY48659 (available approx. 10/03/03)
APAR number for AIX 5.1.0: IY48658 (available approx. 10/15/03)
APAR number for AIX 5.2.0: IY48657 (available approx. 10/29/03)
An e-fix will be available shortly. The e-fix will be available from:

<ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_4_efix.tar.Z&gt;
This vendor statement will be updated when the e-fix becomes available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

IBM eServer __ Affected

Notified: September 17, 2003 Updated: September 24, 2003

Status

Affected

Vendor Statement

IBM eServer Response
IBM eServer Platform Response

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/security=alerts?OpenDocument&pathID.

In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to <http://app-06.www.ibm.com/servers/resourcelink&gt; and follow the steps for registration.

All questions should be refered to [email protected].

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

MandrakeSoft __ Affected

Notified: September 17, 2003 Updated: September 18, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MDKSA-2003:092.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

NETBsd __ Affected

Notified: September 17, 2003 Updated: September 17, 2003

Status

Affected

Vendor Statement

NetBSD-current ships with sendmail 8.12.9 since June 1, 2003. The patch was applied on September 17, 2003. In the near future we would upgrade to sendmail 8.12.10.

Our official releases, such as NetBSD 1.6.1, are also affected (they ship with older version of sendmail). They will be patched as soon as possible. We would issue NetBSD Security Advisory on this matter.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

OpenPKG __ Affected

Updated: September 24, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see OpenPKG-SA-2003.041.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Red Hat Inc. __ Affected

Notified: September 17, 2003 Updated: September 18, 2003

Status

Affected

Vendor Statement

Red Hat Linux and Red Hat Enterprise Linux ship with a Sendmail package vulnerable to these issues. Updated Sendmail packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the ‘up2date’ tool.

Red Hat Linux:

<http://rhn.redhat.com/errata/RHSA-2003-283.html&gt;
Red Hat Enterprise Linux:

<http://rhn.redhat.com/errata/RHSA-2003-284.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

SGI __ Affected

Notified: September 17, 2003 Updated: September 29, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see 20030903-01-P.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Secure Computing Corporation __ Affected

Updated: September 24, 2003

Status

Affected

Vendor Statement

Sidewinder® and Sidewinder G2 Firewall™ (including all appliances)

Not Vulnerable.

Sidewinder v5.x & Sidewinder G2 v6.x’s embedded Type Enforcement® technology strictly limits the capabilities of Secure Computing’s modified version of the Sendmail code integrated into the firewall’s SecureOS operating system. Any attempt to exploit this vulnerability in the Sendmail code running on the firewalls results in an automatic termination of the attacker’s connection and multiple Type Enforcement alarms.

Gauntlet™ & Gauntlet e-ppliance

Vulnerable.

Gauntlet and Gauntlet e-ppliance firewalls have limited vulnerability to this exploit. The sendmail daemon runs without root privilege, containing the effect of any exploit.

Gauntlet customers should obtain a sendmail patch from the appropriate OS vendor. Gauntlet e-ppliance customers should contact Secure Computing Customer Support for a Gauntlet e-ppliance patch.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Sendmail Inc. __ Affected

Updated: September 18, 2003

Status

Affected

Vendor Statement

All commercial releases including Sendmail Switch, Sendmail Advanced Message Server (which includes the Sendmail Switch MTA), and Sendmail for NT are affected by this issue. Patch

information is available at <http://www.sendmail.com/security/&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Slackware __ Affected

Updated: September 17, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SSA:2003-260-02.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

SuSE Inc. __ Affected

Notified: September 17, 2003 Updated: September 24, 2003

Status

Affected

Vendor Statement

SuSE products shipping sendmail are affected. Update packages that fix the vulnerability are being prepared and will be published shortly.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SuSE-SA:2003:040.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Sun Microsystems Inc. __ Affected

Notified: September 17, 2003 Updated: September 18, 2003

Status

Affected

Vendor Statement

Sun acknowledges that our versions of sendmail on Solaris releases 7, 8 and 9 are affected by this issue. The affected versions of sendmail are 8.11.7+Sun (and earlier) on S7 and S8, and 8.12.9+Sun (and earlier) on S9. The new versions with the fix will be 8.11.7p1+Sun on S7 and S8, and 8.12.10+Sun on S9.

A Sun Alert for this issue will be issued soon and will be available from:

<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/56860&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

The Sendmail Consortium __ Affected

Notified: September 17, 2003 Updated: September 18, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.12.10. It contains a fix for a security problem
discovered by Michal Zalewski whom we thank for bringing this problem
to our attention. We also want to thank Todd C. Miller for providing
a patch. sendmail 8.12.10 also includes fixes for other potential
problems, see the release notes below for more details. Sendmail
urges all users to either upgrade to sendmail 8.12.10 or apply a
patch which is part of this announcement. Remember to check the
PGP signatures of patches or releases obtained via FTP or HTTP (to
check the correctness of the patch in this announcement please
verify the PGP signature of it). For those not running the open
source version, check with your vendor for a patch.

For a complete list of changes see the release notes down below.

Please send bug reports to [email protected] as usual.
Please send security reports to [email protected] using
PGP encryption.

Note: We have changed the way we digitally sign the source code
distributions to simplify verification: in contrast to earlier
versions two .sig files are provided, one each for the gzip'ed
version and the compressed version. That is, instead of signing the
tar file, we sign the compressed/gzip'ed files, so you do not need
to uncompress the file before checking the signature.

This version can be found at

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.Z.sig

and the usual mirror sites.

MD5 signatures:

393f5d09d462f522c8288363870b2b42 sendmail.8.12.10.tar.gz
345042839dec70f0a0b5aaeafcf3a0e3 sendmail.8.12.10.tar.gz.sig
36b2b74577a96f79c242ff036321c2ff sendmail.8.12.10.tar.Z
1b9cd61e1342207148d950feafab0f07 sendmail.8.12.10.tar.Z.sig

You either need the first two files or the third and fourth, i.e.,
the gzip'ed version or the compressed version and the corresponding
.sig file. The PGP signature was created using the Sendmail Signing
Key/2003, available on the web site (http://www.sendmail.org/) or
on the public key servers.

Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.

PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.

SENDMAIL RELEASE NOTES
$Id: RELEASE_NOTES,v 8.1340.2.165 2003/09/16 20:50:42 ca Exp $

This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.

8.12.10/8.12.102003/09/24
SECURITY: Fix a buffer overflow in address parsing. Problem
detected by Michal Zalewski, patch from Todd C. Miller
of Courtesan Consulting.
Fix a potential buffer overflow in ruleset parsing. This problem
is not exploitable in the default sendmail configuration;
only if non-standard rulesets recipient (2), final (4), or
mailer-specific envelope recipients rulesets are used then
a problem may occur. Problem noted by Timo Sirainen.
Accept 0 (and 0/0) as valid input for set MaxMimeHeaderLength.
Problem noted by Thomas Schulz.
Add several checks to avoid (theoretical) buffer over/underflows.
Properly count message size when performing 7->8 or 8->7 bit MIME
conversions. Problem noted by Werner Wiethege.
Properly compute message priority based on size of entire message,
not just header. Problem noted by Axel Holscher.
Reset SevenBitInput to its configured value between SMTP
transactions for broken clients which do not properly
announce 8 bit data. Problem noted by Stefan Roehrich.
Set {addr_type} during queue runs when processing recipients.
Based on patch from Arne Jansen.
Better error handling in case of (very unlikely) queue-id conflicts.
Perform better error recovery for address parsing, e.g., when
encountering a comment that is too long. Problem noted by
Tanel Kokk, Union Bank of Estonia.
Add ':' to the allowed character list for bogus HELO/EHLO
checking. It is used for IPv6 domain literals. Patch from
Iwaizako Takahiro of FreeBit Co., Ltd.
Reset SASL connection context after a failed authentication attempt.
Based on patch from Rob Siemborski of CMU.
Check Berkeley DB compile time version against run time version
to make sure they match.
Do not attempt AAAA (IPv6) DNS lookups if IPv6 is not enabled
in the kernel.
When a milter adds recipients and one of them causes an error,
do not ignore the other recipients. Problem noted by
Bart Duchesne.
CONFIG: Use specified SMTP error code in mailertable entries which
lack a DSN, i.e., "error:### Text". Problem noted by
Craig Hunt.
CONFIG: Call Local_trust_auth with the correct argument. Patch
from Jerome Borsboom.
CONTRIB: Better handling of temporary filenames for doublebounce.pl
and expn.pl to avoid file overwrites, etc. Patches from
Richard A. Nelson of Debian and Paul Szabo.
MAIL.LOCAL: Fix obscure race condition that could lead to an
improper mailbox truncation if close() fails after the
mailbox is fsync()'ed and a new message is delivered
after the close() and before the truncate().
MAIL.LOCAL: If mail delivery fails, do not leave behind a
stale lockfile (which is ignored after the lock timeout).
Patch from Oleg Bulyzhin of Cronyx Plus LLC.
Portability:
Port for AIX 5.2. Thanks to Steve Hubert of University
of Washington for providing access to a computer
with AIX 5.2.
setreuid(2) works on OpenBSD 3.3. Patch from
Todd C. Miller of Courtesan Consulting.
Allow for custom definition of SMRSH_CMDDIR and SMRSH_PATH
on all operating systems. Patch from Robert Harker
of Harker Systems.
Use strerror(3) on Linux. If this causes a problem on
your Linux distribution, compile with
-DHASSTRERROR=0 and tell sendmail.org about it.
Added Files:
devtools/OS/AIX.5.2

Instructions to extract and apply the patch for sendmail:

Store the data between "========= begin patch ========" and "=========
end patch ==========" into a file called "/PATH/TO/patch.sm" (replace
"/PATH/TO" with a path of your choice) and apply the following
command in the sendmail-VERSION/sendmail/ directory (note: if you
have a really old version then cd to sendmail-VERSION/src/)

patch < /PATH/TO/patch.sm

You should also edit the file version.c and change the version
number to indicate that you changed sendmail. We suggest to add the
date, e.g., change "8.12.9" to "8.12.9-20030924". Then recompile
sendmail, install the new binary, and restart the daemon.

========= begin patch ========

diff -u -r8.359.2.8 parseaddr.c
- --- parseaddr.c3 Apr 2003 16:20:54 -00008.359.2.8
+++ parseaddr.c16 Sep 2003 18:06:22 -0000
@@ -700,7 +700,11 @@
addr[MAXNAME] = '\0';
returnnull:
if (delimptr != NULL)
+{
+if (p > addr)
+--p;
*delimptr = p;
+}
CurEnv->e_to = saveto;
return NULL;
}
========= end patch ==========
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (OpenBSD)

iQCVAwUBP2iCMCGD4bE5bweJAQEMEAQAmUIObksnrvumniaX6zaw/iJ4ACQcsGpj
Ev2BT0ZsRwqy9cC9PKKySvcHbTw2dR/RAdEnASM4jrIGewAuOVzFv0AhELvw2wF+
c0brwXUqCuczODnDClB3tjNXozzobCGf44xGkOqZXb5F+J3KjBiIVtnE2PtQtW4i
PAq/SXLSihA=
=NkDA
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

TurboLinux __ Affected

Updated: September 18, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see TLSA-2003-52.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Wirex __ Affected

Notified: September 17, 2003 Updated: September 18, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see IMNX-2003-7±021-01.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

F5 Networks __ Not Affected

Notified: September 17, 2003 Updated: September 17, 2003

Status

Not Affected

Vendor Statement

BIG-IP and 3-DNS products are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Lotus Software __ Not Affected

Notified: September 17, 2003 Updated: September 17, 2003

Status

Not Affected

Vendor Statement

This is a sendmail-specific issue that does not affect any Lotus products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Network Appliance __ Not Affected

Notified: September 17, 2003 Updated: September 17, 2003

Status

Not Affected

Vendor Statement

NetApp products are not vulnerable to this problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Openwall GNU/*/Linux __ Not Affected

Notified: September 17, 2003 Updated: September 18, 2003

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. We ship Postfix, not Sendmail.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Syntegra __ Not Affected

Updated: September 25, 2003

Status

Not Affected

Vendor Statement

Syntegra is not affected by this problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

3Com Unknown

Notified: September 17, 2003 Updated: September 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

AT&T Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Alcatel Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Avaya Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Cisco Systems Inc. Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Computer Associates Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Cray Inc. Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

D-Link Systems Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Data General Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Extreme Networks Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Foundry Networks Inc. Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Fujitsu Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Guardian Digital Inc. Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Hitachi Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Ingrian Networks Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Intel Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Juniper Networks Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Lucent Technologies Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Microsoft Corporation Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

MontaVista Software Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Multi-Tech Systems Inc. Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Multinet Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

NEC Corporation Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

NetScreen Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Nokia Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Nortel Networks Unknown

Notified: September 17, 2003 Updated: September 17, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

OpenBSD Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Oracle Corporation Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Redback Networks Inc. Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Riverstone Networks Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

SCO Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Sequent Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Sony Corporation Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Unisys Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Wind River Systems Inc. Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

Xerox Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

ZyXEL Unknown

Notified: September 17, 2003 Updated: September 18, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784980 Feedback>).

View all 63 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/4119.html&gt;
• <http://archives.neohapsis.com/archives/sendmail/2003-q3/0002.html&gt;
• <http://www.sendmail.org/8.12.10.html&gt;
• <http://www.sendmail.org/patches/parse8.359.2.8&gt;

Acknowledgements

This vulnerability was discovered by Michal Zalewski.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2003-0694
CERT Advisory:	CA-2003-25 Severity Metric: