-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
Sendmail-SA-200607-02                                       Security Advisory
                                                               Sendmail, Inc.

Topic: Unvalidated Hostname Use in Milter-based Filters

Class:          Policy Bypass
Severity:       Critical
Announced:      2006-08-09 09:00 PDT
Revised:        2006-08-16 10:00 PDT
Affects:        Flow Control (all versions)
                Various Third Party Milters
Resolved:       Sendmail Switch 3.1.10
                Sendmail Switch 3.2.3, 3.2.4
                Sendmail Switch for Windows 3.1.5
                Sendmail Sentrion 1.5.4

For general information regarding Sendmail, Inc. Security Advisories,
including descriptions of the fields above, other security advisories,
and the following sections, please visit <http://www.sendmail.com/security/>.


I. Background

    Several Sendmail products, including Sendmail Switch and Sentrion,
    include the ability to filter mail through various programs such as
    Flow Control, Mailstream Manager, and several third party filters.  The
    MTA sends information to these filters, including the hostname and IP
    address of connecting SMTP client.

    Filters may use this information to make policy decisions.  For
    example, Flow Control implements a filter through which inbound mail
    passes for limiting flow or rejecting mail.  Those limits are defined
    based on classes which use this connecting client information.


II. Problem Description

    The hostname sent by the MTA to the filters as described above is a
    result of a reverse (PTR) lookup that has not been validated by a
    subsequent forward (A or AAAA) validation, making spoofing of the
    hostname possible.  Many filters treat this hostname as valid and do
    not perform further verification on the information sent by the MTA.


III. Impact

    Since the hostname used by the filter is not validated, an attacker can
    bypass all hostname based policy by forging their reverse DNS
    information to resolve to a name that is trusted by the system under
    attack.  For example, they can claim the hostname for their IP address
    is "localhost" instead of "attacker.example.com" causing any policies
    that look for "attacker.example.com", "*.example.com", or "*.com" to be
    skipped.  Additionally, if there is a policy for "localhost" which
    gives open access, that policy would be used even though the connection
    did not come from the local host.


IV. Workaround

    If you are unable to install the patch immediately, you can work around
    this problem by changing any filters which use the hostname from MTA
    for policy decisions.  For example, change the Flow Control policy to
    only provide protection based on IP addresses and not using any
    hostname or domain policies.  Note that the use of localhost above is
    just an example and specifying a special "Host localhost" policy to
    catch this would not work as attackers can forge any hostname they
    wish.


V. Solution

    Sendmail, Inc. has released patches for Sendmail Switch and Sentrion to
    address this problem.

    The patch changes the behavior of the MTA to the documented behavior of
    having the MTA send a validated hostname to filters.  If the client
    hostname can not be validated, the IP address enclosed in square
    brackets, e.g., "[192.168.21.45]" is sent as the hostname.  By doing
    so, the MTA will be able to protect filters from spoofing problems and
    will save you from having to patch each individual filter which uses
    the unvalidated hostname.  Note that the MTA is not itself subject to
    attack.  The problem will exhibit itself only with mail filters that
    act upon the hostname in their policies.

    Those patches are available to supported customers on their download
    site at:

      https://www.sendmail.com/customerlogin/

    Unsupported customers can download the patches from:

      ftp://ftp.sendmail.com/unsupported/smswitch-patch-3.1.5-Windows.zip
      ftp://ftp.sendmail.com/unsupported/smswitch-patch-3.1.10-Linux.tar.gz
      ftp://ftp.sendmail.com/unsupported/smswitch-patch-3.1.10-Solaris8.tar.Z
      ftp://ftp.sendmail.com/unsupported/smswitch-patch-3.2.4-Linux.tar.gz
      ftp://ftp.sendmail.com/unsupported/smswitch-patch-3.2.4-Solaris8.tar.Z
      ftp://ftp.sendmail.com/unsupported/SentriOS-1.5.4-905.tar

    Refer to the README included with each patch for installation
    instructions.  The checksums for the available patches are:

    MD5 (smswitch-patch-3.1.5-Windows.zip) = 5d850d58dae989148f3ab4d778cafa0a
    MD5 (smswitch-patch-3.1.10-Linux.tar.gz) = 5ee85cba36d391e37c8f2a570e9374ed
    MD5 (smswitch-patch-3.1.10-Solaris8.tar.Z) = ce55025738bbaf40c54998c56f70a764
    MD5 (smswitch-patch-3.2.4-Linux.tar.gz) = 0fb1738cae466ca092e9d284cd338d62
    MD5 (smswitch-patch-3.2.4-Solaris8.tar.Z) = 8594be3232d91e9d504b1c3b91c27d73
    MD5 (SentriOS-1.5.4-905.tar) = 20f362750fd58218069984247e6cfac1


VI. Revision Details

      2006-08-16 10:00 PDT:  Updated to Switch 3.2.4 patches.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFE61BvEEMlGKD4qgwRAr1bAKDHjFjHn++JnSKuc1L4y3vDSf5kfgCggTa2
cKKNxk68Bw6QeGkfZMqY2P0=
=A1G6
-----END PGP SIGNATURE-----